CMS-3 DEPARTMENT OF THE NAVY …

UNCLASSIFIED//FOR OFFICIAL USE ONLY CMS-3

ORIGINAL

UNCLASSIFIED//FOR OFFICIAL USE ONLY

NAVAL COMMUNICATIONS SECURITY MATERIAL SYSTEM 1560 Colorado Avenue Andrews AFB, MD 20762-6108

CMS-3

DEPARTMENT OF THE NAVY (DON)COMMUNICATIONS SECURITY MATERIAL SYSTEM (CMS) CENTRAL OFFICE OF RECORD (COR) AUDIT

MANUAL

01 Jul 2019

CMS-3

ORIGINAL

DEPARTMENT OF THE NAVY

COMMUNICATION SECURITY MATERIAL SYSTEM

IN REPLY REFER TO: 5040

Ser N7/ 01 Jul 2019

LETTER OF PROMULGATION

1. PURPOSE. To promulgate guidance for use in the conduct of Training Visits and Central Office of Record (COR) audits on COMSEC accounts within the Department of the Navy. The guidance in this manual is based on policy and procedures set forth in Navy, DoD and National level policy and doctrine. 2. ACTION. CMS-3 is effective upon receipt and supersedes EKMS-3E (with Amendment 1) dated 20 Aug 2017. 3. REPRODUCTION. CMS-3 is authorized for reproduction, distribution and use in any operational environment and is available via the NCMS SIPRNET Collaboration at-Sea (CAS) website located at: http://www.uar.cas.navy.smil.mil/secret/ navy/39/site.nsf and the INFOSEC website located at: https:// infosec.navy.mil 4. COMMENTS. Submit comments, recommendations, and suggestions for changes to, Naval Communications Security Material System (NCMS) N7/N5 via the unit’s administrative chain of command.

A. T. SAXON

http://www.uar.cas.navy.smil/secret/navy/39/site.nsf

http://www.uar.cas.navy.smil/secret/navy/39/site.nsf

https://infosec.navy.mil/

https://infosec.navy.mil/


CMS-3 ORIGINAL

i


LIST OF EFFECTIVE PAGES

PAGE NUMBER Front Cover (unnumbered) Original Letter of Promulgation (unnumbered) Original List of Effective Pages i Original Record of Amendments ii Original Record of Page Checks iii Original Table of Contents iv - vi Original Chapter 1 1-1 - 1-2 Original Chapter 2 2-1 - 2-4 Original Chapter 3 3-1 - 3-2 Original Chapter 4 4-1 - 4-2 Original (Annex A) A-1 - A-20 Original (Annex B) B-1 – B-14 Original (Annex C) C-1 - C-3 Original (Annex D) D-1 - D-3 Original (Annex E) E-1 - E-2 Original (Annex F) F-1 Original (Annex G) G-1 Original Back Cover (Reverse Blank) (unnumbered) Original


CMS-3 ORIGINAL

ii


RECORD OF AMENDMENTS

Identification of Amendment

Date Entered (YYMMDD)

By Whom Entered(Signature, Rank or Rate, Command Title)


CMS-3 ORIGINAL

iii


RECORD OF PAGECHECKS

DATE

CHECKED CHECKED BY (SIGNATURE,RANK/RATE, COMMAND

TITLE) 24 Jun 2019 PHILLIPS, M. J. GG-13, NCMS


CMS-3 ORIGINAL

iv


TABLE OF CONTENTS

CHAPTER 1 – INTRODUCTION TO THE COMSEC MATERIAL SYSTEM (CMS) CENTRAL OFFICE OF RECORD (COR) AUDIT PROGRAM 101. Purpose 103. Applicability 105. Responsibilities a. Naval Communications Security Material System (NCMS) b. Immediate Superior in Command/Immediate Unit Commander (ISIC/IUC) c. CMS Central Office of Record (COR) Auditor d. COMSEC Account Manager (CAM) 107. Physical Security Inspections

a. Physical Security Inspection b. Physical Security Survey (PSS)

CHAPTER 2 – CMS COR AUDIT POLICY AND PROCEDURES 201. General Policy 203. CMS COR Audit Process a. Audit Preparation b. CMS COR Audit Guidance c. Training & Assistance Visits d. Approval of COMSEC Facilities e. Evaluation Criteria f. Re-Audit CHAPTER 3 – ASSIGNMENT OF CMS COR AUDITORS 301. Designation Requirements for CMS COR Auditors 303. Designation Guidelines CHAPTER 4 – CMS COR AUDIT REPORTING PROCEDURES 401. Content and Submission Guidelines 403. Feedback Report 405. Privileged Nature of Audit Reports


CMS-3 ORIGINAL

v


LIST OF ANNEXES

ANNEX A: Account Oversight and Management SECTION I - ACCOUNT OVERSIGHT & ADMINISTRATION

- CO’S Responsibilities TAB 1 - Appointment, Briefings and Training TAB 2 - Manager Responsibilities TAB 3 - COMSEC Library TAB 4

SECTION II - ACCOUNT MANAGEMENT

- Accountability & Management of COMSEC Material TAB 1 - Page Checks, Corrections & Amendments TAB 2 - COMSEC Files, Records and Retention TAB 3

SECTION III - PLATFORM OVERSIGHT AND CONFIGURATION MANAGEMENT

- Platform Security, Visual Inspections, Device TAB 1 Recertification, And Information Assurance Vulnerability Alert (IAVA) Compliance

- Over-The-Air-Distribution/Rekey/Transfer TAB 2 (OTAD/OTAR/OTAT) & Electronic Storage Device Requirements

SECTION IV - SECURITY

- Physical Security TAB 1 - Emergency Action Plan (EAP) TAB 2 - Emergency Destruction Plan (EDP) TAB 3

ANNEX B: LOCAL ELEMENT (LE) SECTION I LOCAL ELEMENT RESPONSIBILITIES

- Appointment, Briefings and Training TAB 1

SECTION II LOCAL ELEMENT COMSEC MANAGEMENT

- Accountability & Management of COMSEC Material TAB 1 - Page Checks, Corrections & Amendments TAB 2 - COMSEC Files, Records and Retention TAB 3

SECTION III – SECURITY


CMS-3 ORIGINAL

vi


- Physical Security TAB 1 - Emergency Action Plan (EAP) TAB 2 - EMERGENCY DESTRUCTION PLAN (EDP) TAB 3

ANNEX C: COMSEC Vault Inspection Guide ANNEX D: Fixed COMSEC Facility Inspection Guide ANNEX E: CMS COR Audit Report (Example) ANNEX F: CMS COR Audit Feedback Report (Example) ANNEX G: ISIC Audit Endorsement (Example)


ORIGINAL

1-1

CHAPTER 1 – INTRODUCTION TO THE

COMSEC MATERIAL SYSTEM (CMS) CENTRAL OFFICE OF RECORD (COR) AUDIT PROGRAM

101. PURPOSE: The guidance herein will be used as the official criteria for the conduct of Training Visits, CMS COR audits, self-assessments and spot checks at DON COMSEC Accounts. A CMS COR audit encompasses a thorough review of account management practices, an examination of records and re-certification of facilities for COMSEC material storage. 103. APPLICABILITY: The requirements herein apply to DON (MSC, USCG, USMC, and USN) COMSEC accounts and ISIC/IUCs whose subordinate activities handle, distribute, account for, store or use COMSEC material, maintain a numbered COMSEC account and supported Local Elements (LE). Additional requirements may be imposed by the Commandant of the Marine Corps (CMC C4/CY), Coast Guard (USCG) C3CEN, Fleet Commanders (FLTCDRS), Type Commanders (TYCOM), and Immediate Superiors in Command/Immediate Unit Commanders (ISIC/IUC) applicable to supported commands, units and activities. 105. RESPONSIBILITIES: a. NCMS: NCMS serves as the COR, administers the DON COR audit program, is responsible for training auditors and is the final designating authority for auditors.

b. Immediate Superior in Command/Immediate Unit Commander (ISIC/IUC): Per Title 10 Public Law and CMS-1 (series), ADCON ISICs/IUCs are responsible for the oversight of subordinate units’ COMSEC programs including scheduling and conducting initial facility approvals and COR audits for subordinate units. c. CMS COR Auditor: COR auditors are responsible for the proper conduct of COR audits and timely reporting of the findings in accordance with this manual. d. COMSEC Account Manager (CAM): The individual appointed in writing by the commanding officer (CO), officer-in-charge (OIC) or staff CMS responsibility officer (SCMSRO) to manage the COMSEC account. Where used herein, the terms COMSEC account manager, manager or Key Management Infrastructure (KMI) operating account manager (KOAM) refer to COMSEC account manager and alternates. 107. PHYSICAL SECURITY INSPECTIONS: a. Physical Security Inspection: An inspection intended to ensure an area(s) being designated for storage of Controlled


ORIGINAL

1-2

Cryptographic Items (CCI) or classified material meets minimum security requirements for safeguarding that material. b. Physical Security Survey (PSS): An evaluation of the overall security posture of a given facility or activity. The survey will be completed using NAVMC 11121 and should not be regarded as an inspection or investigation. At the discretion of the CO, the completed NAVMC 11121 may be used as part of the physical security inspection. (1) Marine Corps: Physical security inspections are normally conducted as part of the command inspection program. COs will establish local physical security inspection programs for subordinate commands. An on-site examination will be conducted by a trained physical security specialist (MOS 5814) to identify security weaknesses and recommend corrective measures. For additional information see MCO 5530.14 (series). (2) Coast Guard: Physical security inspections are conducted to ensure proper protection and safeguarding, as well as to the prevent loss or compromise of COMSEC material per COMDTINST M5530.1 (series).

https://navalforms.documentservices.dla.mil/formsDir/_NAVMC_11121__EF__5466.pdf

http://www.marines.mil/Portals/59/Publications/MCO%205530_14A.pdf


ORIGINAL

2-1

CHAPTER 2 – CMS COR AUDIT POLICY AND PROCEDURES

201. GENERAL POLICY: All DON COMSEC accounts will undergo a formal COMSEC COR audit in accordance with Article 311 to CMS-1. The ADCON ISIC is responsible for the scheduling and conduct of COMSEC COR audits for their subordinate units. COR auditors must be properly cleared, trained, certified and designated in accordance with Chapter 3 to this manual. See Article 311 to CMS-1 for additional. 203. CMS COR AUDIT PROCESS: a. Audit Preparation. Prior to the audit, the auditor(s) from the ADCON ISIC organization shall: (1) Review account management history to include: (a) Current facility approval letter. (b) Results of the previous CMS COR audit. (c) Results of the most recent self-assessment. (d) Documentation related to corrective actions taken regarding previously identified deficiencies. (e) Documentation related to COMSEC incidents or Practices Dangerous to Security (PDSs) involving the unit. (f) Other areas of special interest identified by NCMS, ISIC/IUC or higher authority. (g) Request and review a SNAPSHOT of the account. (A SNAPSHOT can be requested via digitally signed email to the units COR manager; include the account number and command name in the request) b. CMS COR Audit Guidance: The audit shall be conducted in sufficient detail to properly evaluate the safeguarding, accounting and disposition of COMSEC material and will include the COMSEC Account, all internal LEs (less those only holding STE’s and KSV-21s), and a minimum of three external LEs supported through a LOA/MOU. The auditor shall determine which external LEs to include in the audit based on risk management, which considers: (a) the classification, sensitivity and volume or amount of material held, (b) the number of personnel with access to the material and (c) the results of spot checks and/or self-assessments conducted on the LE. LEs not located within 50 miles of the


ORIGINAL

2-2

supporting account may be exempted from the audit at the discretion of the auditor. Annexes A through D, as applicable of this manual will be used for audits, self-assessments, spot checks and facility approvals. Individual Service Headquarters, Fleet Commanders, TYCOMS and ISIC/IUCs may evaluate additional COMSEC-related areas beyond those set forth herein when promulgated in written instructions, policy or regulations the account is required to comply with. Additional requirements incorporated into audit guidelines shall contain reference to source documents. CAMs designated as CMS COR auditors shall not conduct formal CMS COR audits on their own account or LEs supported by the parent account. Additionally, CMS COR auditors who hold a KMI-role within the account, i.e. Client Platform Security Officer (CPSO) or Client Platform Administrator (CPA) shall not conduct CMS COR audits on the account(s) they are affiliated with. The auditor is tasked with identifying non-compliance with applicable policies, analyzing factors or trends, which impede effective account management and providing recommendations for improvement. The audit process should encompass training and education in areas in need of improvement to enhance account management practices and training programs. The audit may encompass querying CAMs and LE personnel on policy or procedural matters or require a demonstration of commonly performed functions, i.e. inventorying COMSEC material, performing routine destruction, or conducting audit trail reviews. Weaknesses in these areas may reveal the need for additional training to ensure COMSEC material is properly managed. c. Training & Assistance Visits (TAV): Each DON COMSEC account will receive a TAV prior to the COR audit as discussed in Art. 309 to CMS-1. See Article 317 to CMS-1 for additional information regarding services provided by the CMS Assistance and Audit (A&A) Training Teams. d. Approval of COMSEC Facilities: In accordance with CMS-1 (series), initial facility approval is revalidated during the CMS COR audit process. USMC units audited will provide the auditor a copy of the most recent Physical Security Survey (PSS). USCG units audited will provide the auditor a copy of the most recent Physical Security Checklist from COMDTINST M5530.1 (series) completed by the Cognizant Security Official. A manager-conducted self-assessment will not be accepted for this purpose. If the facility has not been revalidated within the stated periodicity, Annexes C or D, as


ORIGINAL

2-3

applicable must be used to ensure minimum physical standards are compliant with policy. e. Evaluation Criteria: Upon completion of the audit, an evaluation will be rendered based on the standards reflected below. Matters previously identified, documented and properly reported, by the unit per the below guidance are not to be used in the assessment. Discovery of the below equal to or in excess of the criteria reflected will result in an unsatisfactory assessment. Grade Criteria

Unsatisfactory - 1 COMSEC incident, 3 PDSs or 40 administrative discrepancies are discovered during the audit

Satisfactory - No COMSEC incidents, 2 or less PDSs and 30 or less administrative discrepancies are discovered during the audit

Noteworthy - No COMSEC incident and 2 or less PDSs discovered during the audit or within 90 days prior to the audit - 15 or less Administrative Discrepancies discovered during the audit

Outstanding - No COMSEC incident or PDSs discovered during the audit or within 90 days of the audit - 5 or less Administrative Discrepancies discovered during the audit.

NOTE: Repetitive minor administrative errors (e.g.,

missing initials on line-outs, required blocks not marked on a SF-153 to indicate the action denoted by the SF-153, i.e. received, inventoried, destroyed, witness, or other) should be assessed by auditors as a single error.

(1) Incidents of the same category discovered during an audit should be consolidated in a single INITIAL REPORT OF COMSEC INCIDENT; see Art. 907 to CMS-1 (series).

(2) Regardless of the assessment, the auditor should note particular trends, which may indicate the need for additional clarity in local policy, development of SOPs or training and include such recommendations in the final report. A follow-up visit/audit by the ISIC/IUC on the areas in need of improvement is recommended to ensure the concerns do not become repetitive or ongoing in nature. When not possible due to distance, funding, etc. the unit audited should report actions taken to the ISIC/IUC via email, message, or official letter, as desired. (3) A separate report shall be prepared by the auditor for the account and each external LE audited. (4) The official audit report shall include the number and description of COMSEC incidents, PDSs, and administrative


ORIGINAL

2-4

discrepancies discovered and an overall assessment of the COMSEC account (including internal LEs) or external LE, as applicable. (5) The CMS COR audit conducted by the ISIC/IUC or NCMS and endorsed by the ISIC is the only official CMS COR audit. No other entities will conduct CMS COR audits. f. Re-Audit: Based on the number and severity of incidents, PDSs or administrative discrepancies noted during the audit, the ISIC may conduct a follow-up audit or accept a written report signed by the CO of the audited account certifying corrective action has been taken to document and resolve all discrepancies noted. (3) Certification/Re-certification failure: (a) Certification: The COMSEC facility must be modified to meet specifications and be re-inspected. (b) Re-certification: The account must comply with waiver requirements as set forth in OPNAVINST 5530.14 (series). When mandatory security requirements cannot be met, commands shall enter the discrepancy into Core Vulnerability Assessment Management Program (CVAMP) and request waivers or exceptions from CNO (N4) via their chain of command. If approved, the waiver will exempt the recipient from a specific security standard for a maximum of up to 12 months. Repairs should be affected as soon as possible, and the COMSEC facility re-inspected. For USN facilities, waiver requests must be forwarded to NAVFACENGCOM prior to submission to the CNO (N4), and an information copy to NCMS//N5//to continue to hold COMSEC material.


ORIGINAL

3-1

CHAPTER 3 - ASSIGNMENT OF CMS COR AUDITORS

301. DESIGNATION REQUIREMENTS FOR CMS COR AUDITORS: Auditors must meet the same requirements as an CAM (not alternate) as set forth in Art. 313, 401 and 403 to CMS-1 prior to appointment. Additional requirements include: a. Completion of the latest versions of the following computer based training (CBTs): (1) Client Platform Administrator (CPA)* (2) Client Platform Security Officer (CPSO)* (3) Token Security Officer (TSO)* (4) DON Basic COMSEC Policy & Procedures Inter-Active Courseware (ICW) Note: These CBTs are available at www.iad.nsa.smil.mil – KMI Program Management Office – KMI Verified Training. The DON Basic COMSEC Policy & Procedures ICW is available on the Navy E-Learning Portal. b. Except as discussed in 301.d.3 below, auditors must have previously served as an CAM or alternate for a minimum of one year. c. Attend the Auditor Training Seminar conducted by the local CMS A&A Team. d. Within 180 days of completion of the CMS COR Auditor Training Seminar: (1) Accompany and observe at least one CMS COR audit with a certified CMS COR auditor; USCG personnel will observe two COR audits. (2) Conduct a minimum of two CMS COR audits Under Instruction with a certified CMS COR auditor. (3) Personnel pursuing auditor certification who do not meet the requirement of Article 301.b must observe a minimum of two audits and conduct a minimum of three audits under instruction with a certified CMS COR auditor. 303. DESIGNATION GUIDELINES: Upon completion of the above requirements, the local CMS A&A Team will forward the CMS COR auditor Qualification standards checklist to NCMS (N7). NCMS will review the package for completeness, and then forward, via digitally signed email, the designation letter to the individual’s parent command certifying assignment as an COMSEC

http://www.iad.nsa.smil.mil/

https://learning.nel.navy.mil/ELIAASv2p/ev2Login.xhtml;jsessionid=6E3F1AB2F5118E48E1B504E166A14A6B


ORIGINAL

3-2

COR auditor. Appointment of personnel as auditors is not authorized by any organization other than NCMS. a. To retain auditor certification, personnel must re-attend the CMS COR Auditor Training Seminar through the local CMS A&A team every 36 months while assigned as an COMSEC account COR auditor. Upon completion, NCMS will forward a letter recertifying auditor for continued assignment. b. Auditors whose certification has been expired for a year or longer or those who have not conducted at least one audit since certifying will be required to re-attend the training seminar and conduct one audit under the instruction of a certified COR auditor prior to recertifying. NCMS reserves the right to withdraw an auditor’s certification when disqualifying or questionable information becomes available. If withdrawn, NCMS will forward an official letter to the auditor’s parent command. Parent organizations must notify NCMS in writing if a certified auditor has his/her access to classified material suspended or security clearance revoked.

UNCLASSIFIED//FOR OFFICIAL USE ONLY CMS-3 ORIGINAL

4-1

CHAPTER 4 – CMS COR AUDIT REPORTING PROCEDURES

401. CONTENT AND SUBMISSION GUIDELINES: a. Significant deficiencies discovered by an auditor which appear to require action by higher-level authorities must be reported immediately to the CO of the audited command. b. At the conclusion of the audit, a formal out-brief must be provided by the auditor to the CO, OIC, or SCMSRO, as applicable. c. Formal COR audit reports must be submitted within 10 business days of completion of audit to the local CMS A&A Team. If consecutive audits are conducted back-to-back, the report(s) will be submitted NLT 10 business days from date of the last audit conducted. The reported must include comments to substantiate the evaluation, applicable references, and recommendations for correcting deficiencies. A sample COR audit report can be found in Annex E. d. Approval to continue to hold classified COMSEC material must be included in the audit report. e. Formal audit reports will be submitted by the auditor to the local CMS A&A Team for serialization and review. The local CMS A&A Team will then forward the serialized report to the appropriate ISIC/IUC for review and forwarding to the audited command. The audited unit shall correct the deficiencies identified and return a report of corrective actions completed within 30 days from the date of receipt of the audit report to their ISIC/IUC. The auditor will consult the Standard Navy Distribution List (SNDL) to determine the audited command’s ISIC or contact NCMS for assistance. 403. FEEDBACK REPORT: Feedback regarding significant discrepancies or misinterpretation of COMSEC policy or procedures is an important management tool. ISICs/IUCs are encouraged to forward such information to NCMS to improve the audit program and also the COMSEC system as a whole. The use of this report is strongly encouraged as it can provide NCMS with information, practices, or procedures, which may be applied advantageously throughout the DON and Coast Guard COMSEC communities. A sample Feedback Report can be found in Annex F. 405. PRIVILEGED NATURE OF AUDIT REPORTS: Auditors serve as the COR’s representatives for evaluating COMSEC account management. The release of audit reports prepared under the provision of this manual require appropriate restrictions on public access and access by governmental organizations outside the DON. All

https://www.secnav.navy.mil/doni/secnav%20manuals/forms/allitems.aspx

UNCLASSIFIED//FOR OFFICIAL USE ONLY CMS-3 ORIGINAL

4-2

audit reports will be marked FOR OFFICIAL USE ONLY and will include the applicable caveat reflected below: a. Navy: "The information contained herein relates to the internal practices of the Department of the Navy. This document is therefore an internal communication not releasable, nor may its contents be disclosed outside the Department of the Navy without prior approval. This report may not be reproduced, in whole or in part, without approval from an appropriate superior authority. Requests for information contained in this report from an agency external to the Department of the Navy shall be promptly referred to the proper authority. The reviewing authority shall in turn refer the request, with recommended actions, to the appropriate Fleet Commander. Holders of this report shall strictly observe these restrictions.” b. Marine Corps: "The information contained herein relates to the internal practices of the Department of the Navy and the U.S. Marine Corps. This report is not releasable, nor may its contents be disclosed or reproduced in whole or in part, without prior approval of (the inspecting command), CMC (C4/CY) or NCMS. Requests for inspection reports, portions thereof, or correspondence related thereto, from a source external to the Department of the Navy shall be promptly referred to CMC (Information Assurance Division (C4/CY)). Holders of this report shall strictly observe this caveat." c. Coast Guard: "The information contained herein relates to the internal practices of the Department of Homeland Security and is an internal communication within the inspecting command. This report of (inspecting authority) is not releasable, nor may its contents be disclosed or reproduced outside of original distribution, nor may it be reproduced in whole or in part, without prior approval of (inspecting authority), COGARD C3CEN, or NCMS. Requests for inspection reports, portions thereof, or correspondence related thereto, from a source external to the Department of Homeland Security shall be promptly referred to (inspecting authority) who shall further refer the request with recommended action to the Commander, U.S. Coast Guard C3CEN. Holders of this report shall strictly observe this caveat."

CMS-3 ORIGINAL

ANNEX A

CMS COR AUDIT GUIDE

A - 1

PURPOSE. This guide is intended to ensure a thorough review of COMSEC management is conducted by the CMS COR auditor. ACTION. The audit checklist shall be used and completed by the COR auditor; there may be some questions which are not applicable and should be identified as such. The completed checklists should aid the auditor in facilitation of the required out-brief and preparation of the official report. Per Chapter 2 and Art. 401 herein, audit reports shall include comments and references to substantiate the evaluation. Command Audited & Date:

COMSEC Account Number:

Total Line Items in the Account:

Immediate Superior in Command:

Date of Last COR Audit:

Date of Last A&A Visit:

Date of Most Recent Facility Approval:

Name/Grade/Rate/Command of Auditor:

Manager Name, Grade & Date of Appointment:

Primary Alternate Name, Grade, & Date of Appointment:

Secondary Alternate Name, Grade, & Date of Appointment:

Tertiary Alternate Name, Grade, & Date of Appointment:

Clerk Name, Grade & Date of Appointment:

Client Platform Administrator Name, Grade, Rate and Date of Appointment:

Client Platform Security Officer (CPSO) Name, Grade, Rate and Date of Appointment:

CMS-3 ORIGINAL

ANNEX A

CMS COR AUDIT GUIDE

A - 2

SECTION I: ACCOUNT OVERSIGHT & ADMINISTRATION

CO’S RESPONSIBILITIES TAB 1 APPOINTMENT, BRIEFINGS AND TRAINING TAB 2 MANAGER RESPONSIBLITIES TAB 3 COMSEC LIBRARY TAB 4

SECTION II: ACCOUNT MANAGEMENT

ACCOUNTABILITY & MANAGEMENT OF COMSEC MATERIAL TAB 1 PAGE CHECKS, CORRECTIONS & AMENDMENTS TAB 2 COMSEC FILES, RECORDS AND RETENTION TAB 3

SECTION III: PLATFORM OVERSIGHT & CONFIGURATION MANAGEMENT

PLATFORM SECURITY, VISUAL INSPECTIONS, DEVICE TAB 1

RECERTIFICATION, AND INFORMATION ASSURANCE VULNERABILITY ALERT (IAVA) COMPLIANCE

OVER-THE-AIR-DISTRIBUTION/REKEY/TRANSFER TAB 2 (OTAD/OTAR/OTAT) & ELECTRONIC STORAGE DEVICE REQUIREMENTS

SECTION IV: SECURITY

PHYSICAL SECURITY TAB 1 EMERGENCY ACTION PLAN (EAP) TAB 2 EMERGENCY DESTRUCTION PLAN (EDP) TAB 3

CMS-3 ORIGINAL

ANNEX A

CMS COR AUDIT GUIDE

A - 3

SECTION I

TAB 1 - COMMANDING OFFICER RESPONSIBILITIES

Area/Item Reviewed 1. Has the CO, OIC or SCMSRO (as applicable):

Yes/No I a. ensured the manager, alternate and clerk are appointed in writing, authorized access to cryptographic information and appointment letters retained for 2 years? [CMS-1, Art. 301.a, 403.a, 407.b, 909.c.2, Annex G] Note: Appointment of a Clerk is optional; when a Change of Command, OIC or SCMSRO occurs appointment letters must be updated and signed by the current CO within 60 days of the Change of Command. If previous appointment letters have not been retained for 2 years assess as an Administrative discrepancy.

Yes/No A b. ensured local procedures are in place for identification and reporting of any potentially significant changes in life-style, financial status, or disciplinary problems involving personnel authorized access to COMSEC material. [CMS-1, Art. 407.h; SECNAV M5510.30 Art. 7-2.C, 10-1.2; Exhibit 10A]

Yes/No P c. ensured quarterly spot checks are conducted where COMSEC material is used and stored. [CMS-1, Art. 407.i, 1003.a.23]

Yes/No A d. received debriefings from CMS A&A Teams and CMS auditors. [CMS-1, Art. 407.j]

Yes/No A e. ensured if COMSEC support is provided to external commands that a Letter of Agreement/Memorandum of Understanding exists, addresses the minimum areas required and is signed by both the supporting and supported Commander? [CMS-1, Art. 125, 201.c, 407.p, Annexes D and G; OPNAVINST 4000.84, Paragraphs 3.b, 4.c]

Yes/No A f. ensured Emergency Action Plan (EAP)/ Emergency Destruction Procedures (EDP) are established and tested. [CMS-1, Art. 407.m]

Yes/No A g. ensured collateral duties assigned to the CAM do not interfere with COMSEC responsibilities. [CMS-1, Art. 407.o]

Yes/No A h. received the CMS for COs training from the local CMS A&A Training Team. [CMS-1, Art. 317.c.2]

Yes/No A i. ensured discrepancies identified during self-assessments, spot checks or COR audits are documented, reported and resolved within 30 days of discovery. [CMS-1, Art. 407.q]

CO or Auditor: ______________ Manager: _______________

DISCREPANCIES MUST BE CORRECTED IMMEDIATELY AND ACTION TAKEN

REPORTED TO THE COMMANDING OFFICER.

CMS-3 ORIGINAL

ANNEX A

CMS COR AUDIT GUIDE

A - 4

TAB 2 - APPOINTMENT, BRIEFINGS AND TRAINING

Area/Item Reviewed Yes/No I 1. Does the CAM, alternate, and client platform security officer (CPSO)

possess a security clearance equal to/higher than the highest classification indicator (HCI) of the account? [CMS-1, Art. 145.c, 401.h, 909.c.2; DOC 042-12, Paragraph 6.7.2]

Yes/No/NA

I 2. If the account is validated for keying material used to protect SCI/SI information, are the CAMs SCI/SI eligible? [CMS-1, 403.b.4 – 403.b.5, 909.c.2] Note: Personnel with access to physical or unencrypted key used to protect SCI/SI information must be SCI/SI indoctrinated

Yes/No I 3. Does the CPA have a minimum SECRET security clearance? CMS-1, Art. 145.b, 909.c.2; DOC 042-12, Paragraph 6.7.1.1]

Yes/No/NA

I 4. Does the clerk possess a security clearance equal to/higher than the material access is granted to? [CMS-1, Art. 403.b.8, 909.c.2]

Yes/No A 5. Are the client platform administrator (CPA) and CPSO appointed in writing and have appointment letters been retained for two years from the date relieved [CMS-1, Art. 403.a.1, Annex G]

Yes/No A 6. Have the CAM and alternates completed formal training prior to appointment and if not, did the Service Authority grant a waiver for the appointment? [CMS-1 Art. 301.a.2, 401.i]

Yes/No A 7. Have the CAM, alternates and clerk (if appointed) completed the applicable level of NAVEDTRA 43462-2 (PQS) for the position held? [CMS-1, Art. 403.b.13]

Yes/No A 8. Have the CAM and alternates completed the DON Basic COMSEC Policy & Procedures Inter-Active Courseware within three years? [CMS-1 Art. 301.b.1]

Yes/No A 9. Is the CAM, CPA and CPSO trained and certified per the incumbent’s cybersecurity category or specialty area code? CMS-1, Art. 145.c (note), 301.a.5, 1003.a.32; SECNAV M5239.2]

Yes/No A 10. Are SD-572 forms executed by all personnel with access to SECRET or T.S. cryptographic information and retained on file, as required? CMS-1 Art. 403.b.12, 409.n, Annex G]

Yes/No A 11. Has the CPA, CPSO and TSO completed applicable NSA-developed CBTs? CMS-1, Art. 145.c, 145.s; DOC 042-12, Paragraphs 6.7.1.2, 6.7.2.2]

Yes/No A 12. Has the CPA and CPSO executed the required Information System Privileged Access Agreement and is such retained for 2 years? [CMS-1, Art. 707.a.10; SECNAV M-5239.2 Appendix 1, Paragraph 3; DODM 8570.01, Paragraph C2.1.4]

Yes/No A 13. Has the CAM and alternate attended a minimum of one town hall session per calendar year? [CMS-1, Art. 317.c.5]




CMS-3 ORIGINAL

ANNEX A

CMS COR AUDIT GUIDE

A - 5

TAB 3 - MANAGER RESPONSIBILITIES

Area/Item Reviewed Yes/No A 1. Does the CAM(s) provide the CO and other interested personnel with

information about new or revised COMSEC policies and procedures and their impact on the command? [CMS-1, Art. 409.a]

Yes/No/NA

A 2. Is the CAM Turnover Checklist used during account turnovers and retained for 2 years? [CMS-1, Art. 409.ak; Annex G] Note: NA if the current CAM has been in the account for over 2 years.

Yes/No A 3. Does the CAM use the Modern Key Tracking Tool or a locally created tool to manage modern key? [CMS-1, Art. 409.aj]

Yes/No A 4. Has the CAM promulgated written guidance, concerning the proper handling, accountability, and disposition of COMSEC material? [CMS-1, Art. 409.j]

Yes/No I 5. Does the CAM, alternate or LE issuing (as applicable) verify security clearances and written authorization prior to issuing classified COMSEC material, including keying material? [CMS-1, Art. 409.n, 909.c]

Yes/No P 6. Are self-assessments & spot checks conducted by the CAM or alternates and retained locally as required? [CMS-1 Art. 309.a, 409.ad, 409.ae, 1003.a.23; Annex G, Paragraph 2]

Yes/No A 7. Does the CAM ensure accurate and timely submission of CF Forms-1205 and 1206 to ensure sufficient personnel have key ordering privileges? [CMS-1, Art. 409.e, Annex M Paragraph 11.c]

Yes/No A 8. If contractor personnel have access to COMSEC material at a DON activity, does Block 10 to the DD-254 indicate access to COMSEC material is required? [CMS-1 Art. 503.f]

Yes/No A 9. Does the CAM ensure the provisions of OPNAVINST 2221.5 (series) have been met Prior to releasing COMSEC material to a contractor account? [CMS-1, Art. 503.g]

Yes/No /NA

I 10. Does the CAM ensure personnel who perform cryptographic maintenance have a DD-1435 documented on file and are authorized in writing by the CO to perform cryptographic maintenance? [CMS-1, Art. 909.c.13, Tab 1 to Annex R, Paragraph 7]

Yes/No A 11. Has coordination been made with the area Defense Courier Division (DCD) station to establish an account through submission of a USTC Form 10 signed by the current CO/OIC/SCMSRO? [CMS-1, Art. 203.A.9, 615 and 741.b]

Yes/No A 12. Does the CAM maintain and provide up-to-date status information to LE personnel? [CMS-1, Art. 409.am]




https://www.esd.whs.mil/portals/54/documents/dd/forms/dd/dd0254.pdf

CMS-3 ORIGINAL

ANNEX A

CMS COR AUDIT GUIDE

A - 6

TAB 4 - COMSEC LIBRARY

Area/Item Reviewed Yes/No 1. Does the account maintain a COMSEC library with applicable instructions

and manuals? [CMS-1, Art. 715] Yes/No /NA

a. AMSG 600 – NATO Communications Security Information. (Required only if the account holds NATO material).

Yes/No /NA

b. CJCSI 3260.01 (series) - Joint Policy Governing Positive Control Material Devices. (If SAS/TPC material is held).

Yes/No /NA

c. COMUSFLTFORCOM/COMPACFLT/ COMUSNAVEURINST C2282.1 (series) Basic Shipboard Allowance of COMSEC Material. (Surface ships only)

Yes/No d. CMS-1 (series) - DON COMSEC Policy and Procedures Yes/No e. CMS-3 (series) - DON COMSEC Audit Manual Yes/No f. CNSSI 4006 – Controlling Authorities for Traditional COMSEC Keying

Material Yes/No g. CNSSI 4032 – Management and Use of Secure Data Network System (SDNS)

Firefly Keying Material and Related Equipment Yes/No /NA

h. COMDTINST M5510.23 – Coast Guard Classified Information Management Manual. (USCG accounts only)

Yes/No

i. DOC 030-13 – Operational Security Doctrine (OSD) for the sKey6500 Token.

Yes/No

j. DOC 042-12 – Process Security Doctrine for the Enrollment of KMI manager.

Yes/No

k. DOC 043-12 – Process Security Doctrine for the Registration of KMI Operating Accounts and Users.

Yes/No l. KMI 5110 – KMI MGC Operational Security Doctrine. Yes/No m. KMI Management Client (MGC) Operators Manual Yes/No n. DOC 012-15 – OSD for the KG-250X Family of Equipment Yes/No o. USG Type 1 Certificate Policy Yes/No /NA

p. NAG 16 (series) – Field Generation and Over-the-air Distribution of tactical Electronic Key. (Required only if the account is involved in OTAT/OTAR operations).

Yes/No /NA

q. NAG 53 (series) – Keying Standard for Non-Tactical KG-84/KIV-7 Point to Point Circuits (Only required by shore-based accounts with point to point circuits using KG-84s/KIV-7s)

Yes/No /NA

r. NSA Mandatory Modification Verification Guide [Only required by accounts with legacy equipment covered by the MMVG which is subject to NSA mandatory modifications]

Yes/No s. OPNAVINST 2201.4 (series) – COMSEC Equipment Maintenance and Training Yes/No /NA

t. OPNAVINST 2221.5 (series) - Release of COMSEC Material to U.S. Industrial Firms Under Contract to USN. (Only required for accounts which have an occasion to release COMSEC material to contractors)

Yes/No /NA

u. OPNAVINST 5530.14 (series) - Navy Physical Security and Law Enforcement Program. (not required by USCG units)

Yes/No /NA

v. SDIP 293 - NATO Cryptographic Instruction. (Required only if the account holds NATO material)

Yes/No w. SECNAVINST 5040.3 (series) - Naval Command Inspection Yes/No /NA

x. SECNAV M5510.30 (series) – DON Personnel Security Program Manual. (not required by USCG units)

Yes/No /NA

y. SECNAV M5510.36 (series) - Information Security Program Manual. (not required by USCG units)

CMS-3 ORIGINAL

ANNEX A

CMS COR AUDIT GUIDE

A - 7

Yes/No /NA

z. COMDTINST M5530.1 (series) – Physical Security and Force Protection Program (USCG units only)

Yes/No /NA

aa. COMDTINST M5520.12(series) – Personnel Security and Suitability Program (USCG units only)

Note: The items identified herein may be retained in printed or electronic form. An out of date or incomplete COMSEC library should be assessed as an Administrative Discrepancy.


DISCREPANCIES MUST BE CORRECTED IMMEDIATELY AND ACTION TAKEN REPORTED TO THE COMMANDING OFFICER.

CMS-3 ORIGINAL

ANNEX A

CMS COR AUDIT GUIDE

A - 8

SECTION II

TAB 1 – ACCOUNTABILITY & MANAGEMENT OF COMSEC MATERIAL

Item/Area Checked Yes/No I 1. Does the product inventory reflect all COMSEC-accountable material In

Stock to the account? [CMS-1 Art. 751.a, 909.c.18, 1003.b] Note: If COMSEC accountable items are discovered not to be properly accounted for, only assess as an incident if it involves classified keying material, unclassified keying material designated as “CRYPTO” or CCI. Otherwise, document and report per Art. 1003.b.

Yes/No P 2. Is only COMSEC accountable items with a valid Short Title accounted for in the MGC? [CMS-1, Art. 751.a, 1003.a.18, Annex R, Tab 1 Paragraph 10]

Yes/No A 3. Are FTRs registered as ALC-1, material type “Equipment”? [CMS-1 Annex R, Tab 1, Paragraph 4.c]

Yes/No A 4. Is effective and supersession information maintained in the MGC? [CMS-1, Art. 749.b]

Yes/No A 5. Has the CAM ensured the account’s CAD data is current and updated, as required? [CMS-1 Art. 603.b, Annex P Paragraph 7]

Yes/No A 6. Are "Request for Inventory Transactions" generated by the COR, responded to within 30 days of the initial request of the inventory? (CMS-1, Art. 753.h; Annex O] Note: Submarines deployed or on patrol will use a locally generated inventory

Yes/No A 7. Has the account generated, wrapped and submitted a COAL inventory on a monthly basis? [CMS-1 Art. 753.j] Note: N/A for submarines at-sea or accounts during an inventory cycle.

Yes/No A 8. Does the CAM maintain, safeguard and store non-COMSEC accountable KMI-related components, such as AKP Operational CIKS, as well as devices intended for backup or restoration purposes which until used may not be COMSEC accountable, i.e. Client Host USB drives, spare MGC hard drives, [future KOM-3s, KOM-4s] etc. [CMS-1, Art. 409.aq]

Yes/No/NA

A 9. For accounts with less than 500 line items, are effective and supersession dates annotated on all physical COMSEC keying material, COMSEC accountable manuals and publications, as applicable? [CMS-1, Art. 749.a]

Yes/No/NA

A 10. Are keytape canisters free of labels which may conceal attempted penetration or prevent inspection of protective packaging, as applicable? [CMS-1, Art. 749.e, 909.c] Note: If discovered, have the label removed and the canister inspected. If any signs of possible damage/tamper exist, report as a COMSEC incident.

Yes/No/NA

I 11. Has unsealed COMSEC material been sealed or resealed in accordance with CMS-1 and local command instruction(s)? [CMS-1, Art. 761, 821.f, 909.c, 1003.a] Note: Except as stated in Art. 761.c and 821.f, if keying material is prematurely extracted, it must be documented on the CMS-25 as a non-reportable PDS. If found not documented on a CMS-25, report the matter as a Physical incident.

Yes/No P 12. If an electronic TRI was not received, are hard copy SF-153s for physical material properly completed and reflect the: TN number, date assigned, and type of action, CAM and witness signatures? [CMS-1 Art. 1003.a.1, Annex H, Paragraphs 7 - 9]

CMS-3 ORIGINAL

ANNEX A

CMS COR AUDIT GUIDE

A - 9

Yes/No A 13. Are conversion, destruction, generation, possession, relief from accountability and transfer reports for ALC-1, 2 and 6 materials sent to Tier 1 in a timely manner? [CMS-1 Art. 721]

Yes/No P 14. Are receipts for physical material, bulk encrypted transactions (BET) or report of corrupt BETs submitted within three business days of receipt or download to the COR or originator? [CMS-1 Art. 733.e, 1003.a]

Yes/No/NA

A 15. Has the receipt of two person control (TPC) material been reported per CJCSI 3260.01? [CMS-1, Art. 169.d]

Yes/No A 16. Are pending tracers processed within the required timeframes? [CMS-1, Art. 735, 909.c.20]

Yes/No P 17. Is all COMSEC material (including equipment and publications) assigned AL Code 1, 2, 4, 6, and 7 inventoried semiannually? [CMS-1 Art. 753.c, 1003.b, Annex H] Note: Operational SSBNs and SSGNs are exempt from fixed-cycle inventory requirements. During extended maintenance availability periods they will adhere to their normal FC Inventory cycle.

Yes/No P 18. Was the SAIR signed by the CAM, a properly cleared witness, and the CO or SCMSRO? [CMS-1, Art. 753.a.5, 753.a.6; 1003.a, Annex H, Paragraph 7.a]

Yes/No P 19. Was the CCIR or combined inventory, as applicable conducted for a change of command or change of CAM and signed by the outgoing CAM and CO? [CMS-1, Art. 753.a.2, 753.a.6, 1003.b; Navy Regulations, Art. 807.g] Note: (CCIRs or combined inventories used for change of CAM are witnessed by the incoming CAM)

Yes/No A 20. Is the completion of SAIR and CCIR inventories reported to the COR, as required? [CMS-1, Art. 753.h] Note: N/A for Change of Command inventories.

Yes/No P 21. Have discrepancies on the Inventory Reconciliation Status Report (IRST) been communicated to the COR and resolved within the required timeframe? [CMS-1, Art. 753.j; 1003.b]

Yes/No I 22. Are local custody issue (LCI) documents used to maintain proper accountability of COMSEC-accountable material issued? [CMS-1, Art 755.a, 909.c.18]

Yes/No /NA

I 23. Is routine destruction of physical COMSEC material performed using approved methods? [CMS-1, Art. 517.k, 771.g and 909.c.18?]

Yes/No /NA

I 24. For afloat units in port without an NSA-Evaluated/Authorized Destruction Device. Is non-paper COMSEC material being destroyed with a cross-cut shredder and the residue temporarily retained until it can be disbursed at sea? [CMS-1, Art. 517.k, 909.c.18]

Yes/No I 25. Are destruction records completed to document destruction of all COMSEC material? [CMS-1, Art. 725.b, 771.f, Annex G]

Yes/No P 26. Is destruction of electronic key held at the account or issued to an ESD completed within the required timeframe and verified? [CMS-1, Art. 517.c, 517.d, 825, 1003.a.8; DOC 005-15; DOC 024-12] Note: Regardless of form, electronic or physical, superseded key must be destroyed within the prescribed time frames. If the electronic key destroyed late is not NATO, document as a non-reportable PDS. If the material has been documented as destroyed and found to exist or involves NATO material, report as a COMSEC incident.

CMS-3 ORIGINAL

ANNEX A

CMS COR AUDIT GUIDE

A - 10

Yes/No P 27. Do destruction records clearly identify the short title, edition(s), register number, ALC, date of destruction, the printed name and signatures of the persons who performed and witnessed the destruction and are blocks 14 & 16 annotated to indicate the action the SF-153 was used for (destroyed/ witness? [CMS-1, Art. 725.a, 771.c, 773; Figures 7-1, 7-2, 7-3] Note: Failure to complete blocks 14 & 16 should be treated as an Administrative Discrepancy.

Yes/No I 28. Is superseded physical COMSEC material, electronic or physical NATO keying material or equipment authorized for destruction destroyed within the proper timeframes? [CMS-1, Art. 517.f, 517.i, 771.d, 909.c.5]

Yes/No P 29. Does the CAM ensure modern key filled KSV-21 cards or other end cryptographic units (ECU) is deleted from the ESD by LE personnel following loading and recorded as “Filled in End Equipment” and reflected on the accounts end of month destruction report? [CMS-1, Art. 517.d.2, 773.d, 1003.a.8] Note: Late destruction is only an incident if it involves physical or NATO material.

Yes/No P 30. Are all consolidated destruction records signed by the CAM, a witness and the CO/OIC/SCMSRO (Block 17)? [CMS-1, 1003.A.1, Annex H, Paragraph 9.o.2, 9.q, Annex M Paragraph 8.b]

Yes/No/NA

P 31. Are SAS/TPC destruction reports signed by two members of the SAS/TPC Team? [CMS-1, Annex H, Paragraph 7.d]



CMS-3 ORIGINAL

ANNEX A

CMS COR AUDIT GUIDE

A - 11

TAB 2 - PAGE CHECKS, CORRECTIONS AND AMENDMENTS Area/Item Reviewed

Yes/No /NA

A 1. Are required page checks accomplished by the manager and a witness as follows: [CMS-1, Art. 745.e, 745.f, 759.a, 761, Annex K, Annex L, Annex M Paragraph 10.e]

Yes/No /NA

A a. Unsealed COMSEC keying material: upon initial receipt; during account inventories; during watch inventories; prior to transfer; and upon destruction?

Yes/No /NA

A b. Unsealed maintenance and operating manuals and amendments: upon initial receipt; after entry of amendments which change pages (both person entering and person verifying entry); during account and LE inventories; prior to transfer; and upon destruction? Note: Review the record of page checks to verify the dates of the page checks coincide with all account inventories.

Yes/No /NA

A c. Maintenance and repair kits: upon initial receipt; upon installation of modification; during inventories; prior to transfer of the Q (repair kits); and upon destruction? Note: Randomly open 3 Q-kits and verify; (a) an inventory is in the kit, (b) the inventory document is signed/dated by the individuals who inventoried the cards and (c) if any card has been removed, the inventory reflects this and the proper documentation is in the kit in place of the removed card.

Yes/No /NA

A d. Resealed keying material: during account inventories; prior to transfer; and upon destruction?

Yes/No /NA

A 2. Are page checks of publications and amendment residue recorded on the Record of Page checks (ROP) page? [CMS-1, Art. 745.d, 769.g.7]

Yes/No /NA

I 3. Are page check discrepancies being reported? [CMS-1, Art. 909.c.1, 1003.b.4, Annex K]

Yes/No /NA

A 4. Are corrections to publications made with black ink only? [CMS-1, Art. 769.g.2]

Yes/No /NA

A 5. Are pen and ink corrections identified by writing the amendment or correction number in the margin opposite the correction? [CMS-1, Art. 769.g.2]

Yes/No /NA

A 6. Has the person entering the amendment signed and dated the appropriate blanks on the publications Record of Amendments page (ROA) [CMS-1, Art. 769.g.4]

Yes/No /NA

A 7. Has the individual who verified proper entry of the amendment initialed the entry on the ROA page? [CMS-1, Art. 769.g.7]

Yes/No /NA

I 8. Is amendment residue destroyed within five days of amendment entry? [CMS-1, Art. 517.h, 909.c]



CMS-3 ORIGINAL

ANNEX A

CMS COR AUDIT GUIDE

A - 12

TAB 3 - COMSEC FILES, RECORDS AND RETENTION

Area/Item Reviewed

1. Does the CAM maintain and retain chronological, correspondence, message, directives and local custody files and logs or briefings for the period indicated? [CMS-1 Art. 203.a, 705.a, 707.a, 707.b, 909.c, Annex G; SECNAV M5510.36, Art. 7-11]

Yes/No P a. COMSEC material accounting reports (conversion, destruction, generation, inventory, possession, receipts, relief from accountability, transfer reports). [Retain for 3 calendar years or until the next COR audit (the longer of the two] Working copies of inventories may be disposed upon receipt of the RCC]

Yes/No A b. Change of Account Location (COAL) inventories & Records Clearance Certification (RCC)[retain until receipt of the next RCC]

Yes/No A c. USTRANSCOM Form-10 [retain until updated] Yes/No A d. CMS Form 1 (if required) [retain until updated] Yes/No A e. KMI Form 004 – KMI Human User Agreement Form & User Provided

Documents [retain for 7 years] Yes/No A f. Account registration correspondence [retain for 2 years from the

date the account is disestablished] Yes/No A g. COMSEC incident and PDS reports (this includes documentation on

non-reportable PDSs)? [retain for 2 years] Yes/No A h. Correspondence related to the command allowance and authorization

to store classified COMSEC material? [retain for 2 years or until completion of the next audit]

Yes/No A i. CMS COR audit reports [retain for 2 years] Yes/No I j. List of personnel authorized access to keying material and the

MGC/AKP, as applicable [retain until a new list is signed by the CO] Yes/No P k. Completed spot checks (or a log of those conducted) and self-

assessments [retain for 2 years or until completion of next audit] Yes/No A l. Documentation of training conducted [retain for 2 years or until

completion of the next audit] Yes/No /NA

P m. OTAD/OTAR/OTAT/HtHkt logs [retain for 60 days from the last entry]

Yes/No I n. Audit trail review & reinitialization logs for ESDs (retain for 2 years)

Yes/No A o. Effective general messages (i.e., ALCOMs, ALCOMPAC P, and ALCOMLANT A) that pertain to COMSEC material? [retain until cancelled; for prior year message consult ALCOM, ALCOMPAC P or ALCOMLANT ALFA 001/current calendar year]

Yes/No A p. Up-to-date Controlling Authority status information? [retain until superseded by an updated status message]

Yes/No A q. Effective command or higher authority COMSEC-related directives (guidance for LEs, waivers of COMSEC policy and procedures, etc.)? [CMS-1, Art. 707.c, Annex G] [retain until cancelled or superseded]

Yes/No I r. Does the local custody file contain a signed SF-153 for all material or a signed, CAM generated and signed inventory from the LE for material issued to the LE level? [CMS-1, Art. 709.a, 709.b, 909.c.18] [retain for 90 days from the date the material is turned in or destroyed]

CMS-3 ORIGINAL

ANNEX A

CMS COR AUDIT GUIDE

A - 13

Yes/No A s. Are inactive records awaiting expiration of the required retention period clearly labeled with the appropriate classification, downgrading instructions and the authorized destruction date? [CMS-1, Art. 711.c]

Yes/No A t. Registered mail receipts, DCS receipts or FEDEX receipts [retain for 1 year]

Yes/No A u. Terminated Letters of Agreement [retain for 1 year from termination of support]

Yes/No A v. SF-700 Monthly Inventory Log [retain for 1 year or until the next COR audit]

Yes/No A w. Completed SF-701s & 702s [retain for 30 days from the last date recorded on them. USCG units retain for 90 days per CIM 5510.30(series].




CMS-3 ORIGINAL

ANNEX A

CMS COR AUDIT GUIDE

A - 14

SECTION III

TAB 1 - PLATFORM OVERSIGHT & CONFIGURATION MANAGEMENT

Area/Item Reviewed Yes/No I 1. Are PINs/passwords for accounts registered on the MGC/AKP recorded and

sealed in separate SF-700 envelopes for each user and safeguarded as required? [CMS-1, Art. 507.c, 507.f, 909.c.1.c]

Yes/No P 2. Has the CAM rekeyed the following at a minimum of annually: (1) IA(I) and (IA(M) certificates on the AKP and each active Token (KOV-29) in the account and the Firefly Vector Set? [CMS-1 Art. 409.c, 1003.b.1, Annex M Paragraph 2; KMI 5110, Paragraph 11.3.7]

Yes/No/NA

I 3. If the account has a KOK-23 in use, has the device been certified within the current three years? [CMS-1 Art. 909.a.1; DOC 027-09 Paragraph 22 and 27]

Yes/No/NA

I 4. If a KOK-23 is held, are the SSO and Operator CIK(s) accounted for in the MGC for as applicable as ALC-1 and ALC-4, respectively? [DOC 027-09 Paragraph 7.b; CMS-1 Art. 909.c.18]

Yes/No P 5. Does each account have two (2) AKP operationally affiliated CIKs (One primary; one backup)? CMS-1, Art. 409.ap, 1003.a.25]

Yes/No I 6. Has a changeover been performed at a minimum of every 12 months? CMS-1, Art. 409.f, 909.a.2; KMI 5110, Paragraph 3.2.15]

Yes/No I 7. Has the AKP in use been recertified within current seven years? [CMS-1, Art. 909.a.1, Annex R, Tab 2, Paragraph 2.e; KMI-5110 Paragraph 3.2.9]

Yes/No I 8. Does the CAM ensure key output from the AKP is encrypted, unless operationally required to do otherwise? [CMS-1, Art. 755.c, 821.b, 909.a.17; KMI 5110, Paragraph 3.2.16.1]

Yes/No I 9. If the account HCI is TS, are AKPREINIT flash drives protected under TPI? (CMS-1, Art. 505.d.7, 909.c.10; KMI 5110, Paragraph 6.2.3.4]

Yes/No P 10. Is the AKP and AKPREINITS visually inspected and such documented in a physical inspection log retained for 2 years? CMS-1, Art. 409.d, 409.ao, 1003.a.19, Annex G; KMI 5110, Paragraph 3.2.11, 6.2.3.4]

Yes/No I 11. Does the account maintain two sets of AKPREINIT 1 and 2 drives and are they properly accounted for and reflected on the Product Inventory? CMS-1, Art. 409.ao, 909.c.18; KMI 5110, Paragraph 3.2.14.13, 6.1.2.3]

Yes/No A 12. Are AKPREINITs tagged and labeled to indicate the short title, version number and Date of Creation? KMI 5110, Paragraph 6.1.2.3.1.2]

Yes/No NA

I 13. Are the Client Node USB Drives labeled SECRET, ALC 2, and accounted for as Short Title “KOM 3”, “Equipment” in the Product Inventory? [CMS-1, Art. 909.c.18; KMI 5110, Paragraph 6.1.6.1.1] Note: If unused they are UNCLASSIFIED and not COMSEC accountable.

Yes/No P 14. Has the CAM sent an exact copy of archived accounting data to the KMI configuration manager within 30 days of the archive? CMS-1, Art. 1003.a.17; KMI 5110 Paragraph 10.3.1.3.8.1]

Yes/No P 15. Are backups of the MGC database performed weekly or monthly (as applicable) and upon completion of a changeover? CMS-1, Art. 713.d, 1003. a.16, Annex N Paragraph 1.b; KMI 5110, Paragraphs 3.2.1.5.4, 10.3.1.3.7]

Yes/No I 16. Does the CPA configure, establish and maintain unique Windows user-accounts, permissions and lock out settings on the client host? [KMI-5110, Paragraph 5.1.3.3; CMS-1, Art. 909.c.4]

CMS-3 ORIGINAL

ANNEX A

CMS COR AUDIT GUIDE

A - 15

Yes/No P 17. Does the CPA install software and associated updates within 30 days from the date directed by the Service Authority? [CMS-1, Art. 1003.a.33; KMI-5110, Paragraph 10.2.1.2.3]

Yes/No A 18. Does the CPA maintain a software install log which identifies at a minimum: the CPA’s name, a description of the software installed and the date of the installation? [KMI-5110, Paragraph 10.2.1.2.4]

Yes/No A 19. Does the CPSO verify the MGC is Information Assurance Vulnerability Alert (IAVA) compliant when an audit archive is conducted? [KMI-5110, Paragraph 10.2.2.2.4]

Yes/No P 20. Has the CPSO sent an exact copy of archived audit data including token (KOV-29) audit data to the central services node (CSN) within 30 days of the archive? [CMS-1, Art. 1003.a.24; KMI-5110, Paragraphs 10.2.2.2.2.2.4.8, 10.4.1.2.7]

Yes/No P 21. Has the CPSO; exported the AKP Diagnostic History Log (DHL) to the MGC every 6 months; reviewed the DHL for anomalies and documented the review? [CMS-1, Art. 1003.a.28; KMI-5110, Paragraph 10.2.2.2.2.2.1]

Yes/No P 22. Can the CPA or CPSO login to the BIOS? Note: If the CPA or CPSO cannot login to the BIOS, the MGC is considered compromised and a computer security incident must be reported. [CMS-1, Art. 1003.a.27; KMI-5110, 10.2.2.2.3; SECNAVINST 5239.19]

Yes/No P 23. Does the TSO conduct and document audit trail reviews on active KOV-29s at a minimum of every 90 days on active KOV-29s? [CMS-1, Art. 1003.a.26; DOC 030-13, Paragraph 8.a.6]

Yes/No I 24. Is the TSO someone other than the primary user of the token? [DOC 030-13, Paragraph 10.a; CMS-1 Art. 145.s, 909.c.20]

Yes/No I 25. Is access to terminal privilege association (TPA) cards restricted to the CAM, alternates or other properly designated personnel? [DOC 007-07, Section III, Paragraph 6, Page 3]

Yes/No NA

A 26. Are KSV-21 cards issued to residential users filled with key which indicates the location as a residence? [CNSSI 4032, Annex B, Para 7.d]

Yes/No A 27. Are software-designed devices in storage at the account level covered as part of the unit’s 3M or other service-specific maintenance program? [CMS-1, Annex R, Paragraph 12] https://infosec.navy.mil/crypto/ - “Hot Topics” - Cryptographic Equipment Battery Information (MIP/MRC tab) and (Battery Information Tab) [MIP 4461 series]

Yes/No I 28. Is the accounts KG-250 compliant with NSA directed mandatory software upgrades and if not, has DIRNSA or NCF issued and official waiver, in writing? [CMS-1 Art. 909.a.15, Tab 3 to Annex R, Paragraph 3]




https://infosec.navy.mil/crypto/

CMS-3 ORIGINAL

ANNEX A

CMS COR AUDIT GUIDE

A - 16

TAB 2

OVER-THE-AIR-DISTRIBUTION/REKEY/TRANSFER (OTAD/OTAR/OTAT) & SIMPLE KEY LOADER/TACTICAL KEY LOADER/REALLY SIMPLE KEY LOADER

(SKL/TKL/RASKL)

Yes/No /NA

P 1. If the account generates, transmits, relays or receives electronic key, are local accounting records used and retained? [NAG 16 Paragraph 4.i; CMS-1, Art. 409.o, 1003.a.11, Annex G]

Yes/No /NA

A 2. Does the CAM conduct periodic reviews of OTAD/OTAR/OTAT local accounting logs? [CMS-1, Art. 409.o, 411.b.10, 517.d.4]

Yes/No /NA

I 3. If T.S. key is stored in an ESD (RASKL/SKL/TKL) and the CIK is stored in the device or accessible, is the device handled, stored and safeguarded under TPI? [CMS-1, Art. 505.d.5, 909.c.10; DOC 127-10, Paragraph 8.b.2; DOC 042-11, Paragraph 6, 18; DOC 024-12, Paragraph 6.c;]

Yes/No I 4. Is unrestricted access to SSO passwords restricted to individuals authorized to perform privileged functions? [DOC 127-10, Paragraphs 8, 15.g, 20.c; DOC 042-11, Paragraph 11; DOC 024-12, Paragraph 11.c]

Yes/No P 5. Are ESD CIKS locally accounted for? [DOC 127-10, Paragraph 19.c; DOC 042-11, Paragraph 18.b; DOC 024-12 Paragraph 19.b]

Yes/No I 6. Is audit trail data reviewed by a CAM or SSO semi-annually or more frequently and are audit trail review log and retained for the current and previous 2 years? [CMS-1, Art. 909.c.19; DOC 127-10, Paragraph 20.b, 20.d.6, 32.b.10; DOC 042-11, Paragraphs 8, 11, 28.c; DOC 024-12, Paragraph 8, 11.c, 31.n; CMS-1, Annex G;

Yes/No I 7. Are ESDs which are initialized or storing key reinitialized at a minimum of annually? [CMS-1, Art. 909.a.6; DOC 127-10, Paragraph 32.b; DOC 042-11, Paragraph 28.c; DOC 024-12, Paragraph 31.n;]

Yes/No A 8. Are ESDs which are initialized or storing key visually inspected for cracks in the housing or other signs of tampering. [CMS-1, Art. 823; DOC 127-10, Paragraph 17.b.2; DOC 042-11, Paragraph 12; DOC 042-12, Paragraph 12;]

Yes/No I 9. Does the CAM or SSO ensure personnel with access to an ESD filled with keying material and associated CIK possess a clearance equal to/higher than the information or key stored in the device? [CMS-1, Art. 409.n, 909.c.2; DOC 127-10, Paragraph 8.a; DOC 042-11, Paragraph 11.a; DOC 042-12, Paragraph 11.b]



CMS-3 ORIGINAL

ANNEX A

CMS COR AUDIT GUIDE

A - 17

SECTION IV

TAB 1 – PHYSICAL SECURITY Area/Item Reviewed

Yes/No I

1. Are adequate visitor controls enforced to ensure access to classified information is given only to visitors who possess the proper clearance, identification, and need to know? [CMS-1, Art. 521.e, 909.c.2; SECNAV-M 5510.30, Art. 11-1 Paragraph 2, 3; SECNAV-M 5510.36, Art. 7-12;]

Yes/No A

2. Is a visitor's register in use, properly maintained (all blocks filled out) and retained for one year? [CMS-1, Art. 521.e, Annex G]

Yes/No I 3. Are the names of individuals with regular duty assignments in the COMSEC facility on a formal access list signed by the CO/OIC/SCMSRO or signed in on a visitor’s register until the access list is updated? [CMS-1, Art. 503.d, 521.e, 909.c.2]

Yes/No I 4. Is unescorted access to the area where the MGC is located restricted to cleared personnel authorized access to the space or CAMs? [CMS-1 (series), Art. 509.f, 909.c.2; KMI 5110 Paragraph 6.2]

Yes/No A 5. Has formal facility approval been given in writing by the ISIC/IUC or higher authority to install, maintain, operate and store classified COMSEC material? [CMS-1, Art. 521.d] Note: USMC accounts are required to have a Physical Security Survey (PSS) conducted biennially by a school trained Military Provost Officer. [Marine Corps Order 5530.14 (series)]

Yes/No A

6. Is the exterior of each COMSEC security container free of markings which reveal the classification or description of the material stored therein? [SECNAV-M 5510.36, Art. 10-1, Paragraph 3]

Yes/No A 7. Is the space or vault which contains COMSEC material outwardly identified as a “Restricted Area”? For USMC and USCG accounts, does the sign meet USMC or USCG specific criteria? [OPNAVINST 5530.14 (series), Art. 210.g, 218.a; MCO 5530.14 (series) Art. 3004; COMDTINST 5530.1(Series], Ch. 1, Paragraph 16]

Yes/No A 8. Are applicable security controls (guards and alarms) in place for the vault or COMSEC office? [CMS-1, Art. 509, 521; MCO 5530.14 (series), Art. 3003; SECNAV-M 5510.36, Art. 10-3?]

Yes/No I 9. Do storage containers and locking mechanisms meet the minimum security requirements for the highest classification of material stored therein including material subject to TPI? [CMS-1, Art. 509.d; SECNAV-M 5510.36, Art. 10-3]

Yes/No A 10. Is an Optional Form (OF-89) maintained for each security container; used to record damages; repairs or alternations and retained within the container? CMS-1 Art. 509.b; SECNAV-M5510.36 Art. 10-15]

Yes/No A

11. Is a Security Container Information Form (SF 700) maintained for each lock combination and Part 1 placed in each COMSEC security container? [CMS-1, Art. 509.b; SECNAV-M5510.36, Art. 10-12, Paragraph 4]

Yes/No A 12. Is a Security Container Check Sheet (SF-702) maintained for each lock combination of a COMSEC storage container and retained for 30 days beyond the last date recorded? [CMS-1, Art. 509.b, Annex G; SECNAV-M5510.36, Art. 7-11]

CMS-3 ORIGINAL

ANNEX A

CMS COR AUDIT GUIDE

A - 18

Yes/No I 13. Except in an emergency, are combinations to the COMSEC vault or containers used at the account level restricted to the CAM and alternates only? [CMS-1, Art 507.c; 909.c.2]

Yes/No I 14. Are combinations to containers storing material subject to TPI protected to prevent a single person from having knowledge of both combinations? CMS-1, Art. 507.c, 909.c.2]

Yes/No I 15. Are sealed records of combinations to COMSEC containers maintained in an approved security container (other than the container where the COMSEC material is stored) for emergency purposes? [CMS-1, Art. 507.e; 909.c.2]

Yes/No A 16. Are combinations to COMSEC containers changed when initially placed in use, taken out of service, biennially, upon transfer/reassignment of personnel with access, or when compromised? [CMS-1, Art. 507.b]

Yes/No A 17. If the COMSEC facility is continuously manned, are security checks conducted at least once every 24 hours, documented on a SF-701 and are SF-701s retained for 30 days beyond the last date recorded? [CMS-1, Art. 521.d.3, Annex G; SECNAV M5510.36, Art. 7.11]

Yes/No A 18. In a non-continuously manned COMSEC facility, are security checks conducted prior to departure of the last person and documented on a SF-701, retained for 30 days beyond the last date recorded? [CMS-1, Art. 521.d.8; SECNAV-M5510.36, Art. 7-11]

Yes/No /NA

A 19. If a COMSEC facility in a high risk area is unmanned for periods greater than 24 hours, is a check conducted at least once every 24 hours and documented on a SF-701 to ensure that all doors are locked and that there have been no attempts at forceful entry? [CMS-1, Art. 521.d.3; CNSSI 4005, Annex D]

Yes/No A 20. Are/do SF-700s: [CMS-1, Art. 507.f, 909.c.2] a. Individually wrapped and protectively packaged? If not and a single person has access to both and the material is subject to TPI, assess as a COMSEC incident. b. Sealed using non-transparent lamination or plastic tape? c. Reflect the names, addresses and phone numbers of individuals authorized access to the combination on the front of the envelope? d. Reflect proper classification/downgrading markings on Part 2 & 2A e. Inspected monthly for tampering and the inspection documented?

Yes/No A 21. Is physical COMSEC material stored separately from other classified material and segregated by status, type and classification? [CMS-1, Art. 509.a.3]

Yes/No I 22. Is COMSEC material, including media containing black key packages properly safeguarded or stored when not in use or under the direct control of authorized personnel? [CMS-1, Art. 509.a, 803.e, 909.c.18]

Yes/No A 23. Are COMSEC files, records and logs handled and stored in accordance with their overall classification and properly marked to reflect the overall classification, the derivative source and declass instructions? [CMS-1, Art. 711.a, 711.d; SECNAV-M 5510.36, Art. 6-3, 6-26]

CO or Auditor: ______________ Manager: _______________ DISCREPANCIES MUST BE CORRECTED IMMEDIATELY AND ACTION TAKEN


CMS-3 ORIGINAL

ANNEX A

CMS COR AUDIT GUIDE

A - 19

TAB 2 - EMERGENCY ACTION PLAN (EAP)

Area/Item Reviewed Yes/No A 1. Does the command have an EAP for safeguarding COMSEC material in the

event of an emergency? [CMS-1, Annex E, Paragraph 2] Yes/No A 2. Are all authorized personnel at the command/facility made aware of the

existence of the EAP? [CMS-1, Annex E, Paragraph 6] Yes/No A 3. For commands, located within the U.S. and its territories, does the

EAP provide guidance detailing actions to be taken for natural disasters, civil/mob actions and terrorism? [CMS-1, Annex E, Paragraph 2]

Yes/No A 4. Does the CAM maintain the COMSEC portion of the command EAP? [CMS-1, Annex E, Paragraph 1]

Yes/No A 5. When planning for natural disaster, does the EAP provide for: [CMS-1, Annex E, Paragraph 4] a. Fire reporting and initial firefighting by assigned personnel? b. Assignment of on-the-scene responsibility for protecting COMSEC material held? c. Protecting material when admitting outside emergency personnel into the secure area(s)? d. Securing or removing classified COMSEC material and evacuating the area(s)? e. Assessing and reporting probable exposure of classified COMSEC material to unauthorized persons during the emergency? f. Completing a post-emergency inventory of COMSEC and Controlled Cryptographic Item (CCI) material and reporting any losses or unauthorized exposures to appropriate authorities?

Yes/No A 6. Are EAP training exercises conducted and documented yearly to ensure that everyone is familiar with their assigned duties? [CMS-1, Annex E, Paragraph 6.d]

Questions 7 – 16 in TAB 3 only apply to units located outside the U.S., it’s territories and deployable units.




CMS-3 ORIGINAL

ANNEX A

CMS COR AUDIT GUIDE

A - 20

TAB 3 - EMERGENCY DESTRUCTION PLAN (EDP)

Area/Item Reviewed Yes/No A 7. Does the COMSEC account have an EDP incorporated into their EAP?

[CMS-1, Annex E, Paragraph 2.c] Yes/No A 8. Does the EDP identify personnel assignments and the chain of command

authorized to direct emergency destruction? [CMS-1, Annex E, Paragraph 5.d; SECNAV-M 5510.36, exhibit 2B]

Yes/No A 9. Are devices and facilities for the emergency destruction of COMSEC material readily available and in good working order? [CMS-1, Annex E, Paragraphs 5.d, 6.c]

Yes/No/NA

A 10. Are the sensitive pages of KAMs prepared for ready removal (i.e., upper left corner clipped) and are the front edges of the covers/binders marked with a distinctive marking (i.e., red stripe)? [CMS-1, Annex E, Paragraph 5.e] Note: Sensitive pages are reflected on the last page of the KAM.

Yes/No A 11. Are destruction priorities indicated in the plan? [CMS-1, Annex E, Paragraph 8]

Yes/No A 12. Are EAP/EDP training exercises conducted at a minimum of annually to ensure personnel are familiar with their duties? [CMS-1, Annex E, Paragraph 6]

Yes/No A 13. Is the EDP divided into two parts: one for precautionary and one for complete destruction? [CMS-1, Annex E, Paragraph 7]

Yes/No A 14. Does the EDP provide for adequate identification and rapid reporting of the material destroyed, to include the method and extent of destruction and any classified COMSEC material items presumed compromised? [CMS-1, Annex E, Paragraph 10]

Yes/No A 15. Does the EDP stress accurate reporting of information concerning the extent of the emergency destruction is second in importance only to the destruction of the material itself? [CMS-1, Annex E, Paragraph 10]

Yes/No A 16. For surface units: Are document sinking bags available in sufficient quantity and in good condition to permit jettison of COMSEC material? [CMS-1, Annex E, Paragraph 9.d]




CMS-3 ORIGINAL

ANNEX B

LOCAL ELEMENT (ISSUING AND USING)

B - 1

PURPOSE. The purpose of this audit guide is to ensure all aspects of COMSEC management are covered by the COMSEC account auditor during the account audit. Unless otherwise identified herein, the criteria contained in this Annex applies to either a LE issuing or LE using. Command or Work Center Audited & Date:

Parent COMSEC Account Number:

Total Line Items Held by the LE:

Immediate Superior in Command (If other than the ISIC for the parent/supporting COMSEC Account):





LE Issuing Name, Grade & Date of Appointment:

Alternate LE Issuing Name, Grade, & Date of Appointment:

ACTION. The following audit checklist shall be used and completed, in its entirety, by the auditor conducting the audit. Per Chapter 2 and Art. 401.c of this manual, audit reports shall include references and comments to substantiate the evaluation.

CMS-3 ORIGINAL

ANNEX B


B - 2

SECTION I LOCAL ELEMENT RESPONSIBILITIES

RESPONSIBILITIES, APPOINTMENT, BRIEFINGS TAB 1 AND TRAINING SECTION II LOCAL ELEMENT COMSEC MANAGEMENT ACCOUNTABILITY & MANAGEMENT OF COMSEC MATERIAL TAB 1 PAGE CHECKS, CORRECTIONS & AMENDMENTS TAB 2 OVER-THE-AIR-DISTRIBUTION/REKEY/TRANSFER TAB 3

(OTAD/OTAR/OTAT) & ELECTRONIC STORAGE DEVICE REQUIREMENTS

SECTION III – SECURITY

PHYSICAL SECURITY TAB 1 EMERGENCY ACTION PLAN (EAP) TAB 2 EMERGENCY DESTRUCTION PLAN (EDP) TAB 3

CMS-3 ORIGINAL

ANNEX B


B - 3

SECTION I

TAB 1 - APPOINTMENT, BRIEFINGS, AND TRAINING

Area/Item Reviewed Questions 1 through 8 only apply to a LE Issuing

Yes/No/NA

A 1. Does the primary (issuing) LE and alternates meet the minimum designation requirements specified in CMS-1? [CMS-1, Art. 403.b]

Yes/No/NA

I 2. Are LE issuing (primary and alternates) appointed in writing by the CO, OIC or SCMSRO, as applicable? [CMS-1, Art. 407.b, 411, Annex G, Paragraph 2.c]

Yes/No/NA

A 3. Are appointment letters forwarded to the supporting CAM and a copy retained on file for a minimum of 2 years following the relief of the primary (issuing) LE and/or alternates? [CMS-1, Art. 411.b.18, Annex G, Paragraph 2.c]

Yes/No/NA

A

4. Are alternate LE issuing personnel actively involved in LE issuing duties and ready at all times to manage the LE’s COMSEC requirements in the absence of the primary (issuing) LE? [CMS-1, Art. 411.b.17]

Yes/No/NA

A 5. Does the primary (issuing) LE provide the CO/OIC, SCMSRO and other interested personnel with general information about new or revised COMSEC policies or procedures? [CMS-1, Art. 411.b.1]

Yes/No/NA

A 6. Does the (issuing) LE maintain and provide written guidance to LE personnel regarding proper handling, accountability, and disposition of COMSEC material? [CMS-1, Art. 411.b.2, 411.b.3]

Yes/No/NA

A 7. Does the LE (issuing) maintain required files as directed by the parent account CAM? [CMS-1, 411.b.2; Annex G]

Yes/No/NA

A 8. If the LE issuing provides COMSEC material to LEs responsible to a CO other than the LE issuing's CO, were letters of agreement exchanged and signed by the supporting and supported commander? [CMS-1, Art. 125, 201, 411, Annex D]

A 9. Do letters of agreement address the minimum areas: [CMS-1, Annex D] Yes/No a. Compliance with locally prepared COMSEC instructions? Yes/No b. COMSEC incident and PDS documentation and reporting procedures? Yes/No c. Responsibility for certifying clearance/access? Yes/No d. The issuance of COMSEC material in electronic form? Yes/No e. Notification of LE appointments or the granting of access?

Yes/No/NA

P 10. For external LEs supported through a LOA/MOU only. Are inventories completed for change of command, change of OIC or LE issuing (as applicable?) [CMS-1 Art. 407.n, 407.p, 753.f, 1003.b]

Yes/No P 11. For external LEs supported through a LOA/MOU only. Does the CO or OIC, as applicable, conduct a minimum of one spot check per quarter within their organization? [CMS-1, Art. 407.i, 1003.a.23]

Yes/No I 12. Do LE personnel possess a security clearance equal to/higher than the material they have access to and are LE personnel authorized access to keying material in writing by the CO/OIC/SCMSRO? [CMS-1, Art. 403.b.8, 407.c, 503.d, 909.c.2]

CMS-3 ORIGINAL

ANNEX B


B - 4

Yes/No/NA

I 13. Are LE personnel with access to physical or unencrypted keying material used to protect SCI/SI information SCI/SI eligible and indoctrinated? [CMS-1, Art. 403.b.5, 909.c.2]

Yes/No A 15. Have personnel with access to SECRET or T.S. cryptographic information executed the required SD-572 and are they retained on file, as required? [CMS-1, Art. 403.b.12, 411.b.9, Annex G]

Yes/No A 16. Have personnel performing cryptographic maintenance on CCI executed a DD-2625 and are they retained for 90 days from the date access is no longer required? [CMS-1, Art. 515.c, Annex G]

Yes/No/NA

A 17. Have LE personnel with access to COMSEC material completed the applicable qualification level of the (NAVEDTRA 43462 series) personnel qualification standards (PQS) or Service-Authority developed equivalent? [CMS-1, Art. 307, 403.b.13]

Yes/No A 18. Do all formally designated LE personnel (COMSEC users) participate in or receive COMSEC training monthly and is training documented in accordance with command directives? [CMS-1, Art. 409.k, 411.b.4, Annex G]

Yes/No A 19. Do LE personnel have access to written guidance (provided by the CAM) concerning the proper handling, accountability, and disposition of COMSEC material? [CMS-1, Art. 409.j]



CMS-3

ORIGINAL

ANNEX B


B - 5

SECTION II

TAB 1 – ACCOUNTABILITY AND MANAGEMENT OF COMSEC MATERIAL

Area/Item Reviewed Yes/No /NA

A 1. For LE Issuing only. Does the LE issuing maintain an up to date product inventory provided by the parent account CAM or have a locally created inventory for material issued to the LE? [CMS-1, Art. 411.b, 751.b]

Yes/No /NA

P 2. For LE Issuing only. Do local custody documents (i.e., SF 153, or locally prepared equivalent), contain the minimum required information? [CMS-1, Art. 755.a]

Yes/No

I 3. Does the LE maintain a local custody file which contains signed, effective local custody documents for each item of COMSEC material issued from the supporting account? [CMS-1, Art. 411.b.15, 909.c.18, Annex G] Note: For a LE using, if the material is being properly inventoried on a watch-to-watch inventory and a copy of the LCI is held by the CAM, assess as an administrative discrepancy; if the CAM also does not have the LCI document assess as incident in Annex A.

Yes/No A 4. Are inactive files/records labeled to reflect the authorized date of destruction? [CMS-1, Art. 759.a.13, Annex G]

Yes/No P 5. Are inventories of COMSEC material conducted & documented on a local custody document (non-watch stations) or a watch-to-watch inventory [CMS-1 Art. 759.a.2, 759.a.8, 1003.a.18; COMDTINST M5510.23 (series), Ch. 4]

Yes/No P 6. Does the inventory reflect all COMSEC accountable material by short title, edition, register/serial # and quantity (including resealed segments and CIKS for ESDs)? [CMS-1, Art. 759.a.2, 1003.a.1]

Yes/No P 7. Has the inventory been signed & dated for each change of watch or on days when the container is opened for a non-watch environment? [CMS-1, Art. 759.a.6, 759.a.8, 1003.a.1]

Yes/No A 8. Are watch-to-watch inventories retained for 30 days beyond the last recorded date on the inventory? [CMS-1, Art. 759.a.14, Annex G]

Yes/No /NA

9. If keying material was unintentionally removed from its protective canister, is the following recorded on the CMS-25: [CMS-1 Art. 761.c, 821.f, 909.c.15, 1003.a.6]

Yes/No/ NA

A a. A statement the keytape segment(s) were unintentionally removed?

Yes/No/ NA

A b. The date of the removal?

Yes/No/ NA

A c. Identity of the keytape segment(s) actually removed?

Yes/No NA

P d. Signatures of the individuals who removed the key? Note: Except as authorized in Art. 761.c, premature extraction is a non-reportable PDS when properly documented on the CMS-25; when not documented, report as a Physical incident (Unexplained removal of key)

CMS-3

ORIGINAL

ANNEX B


B - 6

Yes/No/ NA

A 10. Are key tape canisters free of locally applied labels and stickers which may conceal attempted penetration or prevent inspection of protective packaging? [CMS-1, Art. 749.e, 749.f, 909.c.4] Note: If discovered, remove label, inspect the canister and train the user. If the canister is damaged, report as a physical incident.

Yes/No/ NA

A 11. Are effective & supersession dates annotated on all physical keying material, accountable manuals and publications? [CMS-1, Art. 749.a, 749.e]

Yes/No

I 12. Are local destruction records completed and retained to document destruction of T.S, Secret and all ALC-1, 2 and 6 material? [CMS-1, Art. 725.b.2, Art. 909.c.18] [Note: Access only as an incident, if the accounts reflects the material still issued; the LE does not have the material or any SF-153 to account for the disposition of the material]

13. Do local destruction records for physical segmented material reflect: [CMS-1, Figure 7-1-2]

Yes/No P

a. Short title and complete accounting data? b. Date of destruction? c. Signatures of the two individuals conducting destruction?

Yes/No

A

d. Marked “CONFIDENTIAL (When filled in)”? e. Classification and Declassification markings? Derived from: NSTISSI 4002 Declassify on: DD Month YYYY

Yes/No P

14. Is only one copy of a short title, edition, and register/serial number recorded on the local destruction document? [CMS-1, Figure 7-1-2 Paragraph 8, Art. 1003.a]

Yes/No A

15. Are local destruction records [SF-153s] for COMSEC material maintained by the LE for 2 years past the destruction of the material? [CMS-1, Art. 725.b.3, 909.c.18, Annex G, Paragraph 2.j] Note: If the material was properly destroyed and documented on a local destruction record and a copy of the LCI is held by the CAM, assess as an administrative discrepancy; if the CAM does not have the local destruction document assess as an incident in Annex A.

Yes/No P 16. Is destruction of issued superseded key completed within the proper timeframe? (CMS-1, Art. 759.b, 771.d, 909.c.5, 1003.a.8] Note: Late destruction of physical or NATO key is a COMSEC incident; Late destruction of non-NATO electronic key is a PDS.

Yes/No A 17. Can LE personnel demonstrate the proper procedures for conducting routine destruction of COMSEC material? [CMS-1, Art. 771, 773, 825; DOC 127-10, DOC 024-12]

Yes/No /NA

P 18. If the LE has experienced a corrupted/failed ESD storing modern key, did the LE submit a manual SF-153 destruction supporting CAM, as applicable? [CMS-1, Art. 773.e, 1003.a.9]

Yes/No P 19. Are HAIPE or SCIP devices rekeyed at a minimum of annually? [CMS-1 Art. 1003.a.12; DOC 007-07 Section IV; CNSSI 4032 Annex G]

Yes/No P 20. Do LE personnel ensure modern Key filled in end cryptographic units (ECU) is deleted from the ESD following loading and reporting to the CAM the key was filled in end equipment? [CMS-1, Art. 517.d.2, 773.d, 1003.a.8]

CMS-3

ORIGINAL

ANNEX B


B - 7

Yes/No P 21. Does the LE use the NCMS modern key tracking tool or a locally created tool to manage modern key and ensure INEs are not operating on expired key? [CMS-1, Paragraph 411.b.16; 1003.a.30]



CMS-3

ORIGINAL

ANNEX B


B - 8

TAB 2 – PAGE CHECKS, CORRECTIONS & AMENDMENTS

Area/Item Reviewed Yes/No A 1. Are required page checks conducted as follows: [CMS-1, Art. 759.a.5,

761.i, 769.g.5 – 769.g.7, Annex L] Yes/No A a. Unsealed or resealed COMSEC keying material. Upon initial receipt;

during account and watch inventories; and prior to destruction? Yes/No /NA

A b. Unsealed maintenance and operating manuals. Upon initial receipt; following entry of an amendment which changes pages; during account or watch inventories and prior to destruction?

Yes/No /NA

A c. Equipment. Upon initial receipt; during account and watch inventories; and prior to destruction

Yes/No /NA

A 2. Are corrections to publications made with black ink only? [CMS-1, Art. 769.g.2]

Yes/No /NA

A 3. Is each pen and ink correction identified by writing the correction number in the margin opposite the correction? [CMS-1, Art. 769.g.2]

Yes/No /NA

A 4. Has the individual entering a correction signed and dated the Record of Amendments (ROA) page of the publication certifying that he/she has entered the change? [CMS-1, Art. 769.g.4]

Yes/No /NA

A 5. Has the individual who verified proper entry of the correction initialed the entry on the ROA page? [CMS-1, Art. 769.g.7]

Yes/No /NA

A 6. Has both the person entering the correction and the person verifying the correction conducted a page check of the publication, and recorded this on the Record of Page (ROP) checks page? [CMS-1, Art. 769.g.7]

Yes/No /NA

I 7. Are page check discrepancies being reported? [CMS-1, Art. 909.c.1, 1003.b.4; Annex K] Note: Page check discrepancies must be reported as a physical incident for classified material; for unclassified material not marked or designated as crypto or nomenclated as CCI, report per Art. 1003.b to CMS-1.

Yes/No /NA

A 8. Are page checks of publications and amendment residue recorded on the ROP checks page? [CMS-1, Art. 745.c, 769.g.6]



CMS-3

ORIGINAL

ANNEX B


B - 9

TAB 3 - OVER-THE-AIR-DISTRIBUTION/REKEY/TRANSFER (OTAD/OTAR/OTAT), HAIPE-TO-HAIPE KEY TRANSFER (HtHKT) & SIMPLE

KEY LOADER/TACTICAL KEY LOADER/REALLY SIMPLE KEY LOADER (SKL/TKL/RASKL)

Yes/No P 1. If the LE generates, transmits, relays or receives electronic key,

are local accounting records used and retained? [CMS-1, Art. 409.o, 1003.a, Annex G; NAG 16 Paragraph 4.i; CNSSI 4032, Paragraph 21.a.2]

Yes/No P 2. If the LE has a KOK-23 are PINS changed every six months or more

frequently, as required. [CMS-1, Art. 1003.a.13; DOC 027-09, Paragraph 9] Yes/No /NA

P 3. If the LE has a KOK-23, are the associated CIKS reflected on the local inventory and accounted for? [CMS-1, Art. 759.a, 1003.a.4; DOC 027-09, Paragraph 7]

Yes/No /NA

I 4. If T.S. key is stored in an ESD (RASKL/TKL/SKL) and the CIK is stored or accessible, is the device handled, stored and safeguarded under TPI? [CMS-1, Art. 505.e.3, 909.c; DOC 127-10, Paragraph 8.b.2; DOC 042-11, Paragraph 6, 18; DOC 024-12, Paragraph 6.c;]

Yes/No I 5. Is unrestricted access to SSO passwords restricted to individuals are authorized to perform privileged functions? [DOC 127-10, Paragraphs 8, 15.g, 20.c; DOC 042-11, Paragraph 11; DOC 024-12, Paragraph 11.c]

Yes/No P 6. Are ESD CIKS locally accounted for when inventories are conducted? [DOC 127-10, Paragraph 19.c; DOC 042-11, Paragraph 18.b; DOC 024-12 Paragraph 19.b]

Yes/No I 7. Is audit trail data reviewed by the SSO or CAM semi-annually or more frequently and are audit trail review logs and retained for the current and previous 2 years? [DOC 127-10, Paragraph 20.b, 20.d.6, 32.b; DOC 042-11, Paragraphs 8, 11, 28.c; DOC 024-12, Paragraph 8, 11.c, 31.n; CMS-1, Annex G;

Yes/No I 8. Are ESDs which are initialized or storing key reinitialized at a minimum of annually? [DOC 127-10, Paragraph 32.b; DOC 042-11, Paragraph 28.c; DOC 024-12, Paragraph 31.n; CMS-1, Art. 909.a.6]

Yes/No A 9. Are ESDs which are initialized or storing key visually inspected for cracks in the housing or other signs of tampering. [CMS-1, Art. 823; DOC 127-10, Paragraph 17.b.2; DOC 042-11, Paragraph 12; DOC 042-12, Paragraph 12]

Yes/No I 10. Does the CAM or SSO ensure personnel with access to the SKL and key possess a clearance equal to/higher than the information or key stored in the device? [DOC 127-10, Paragraph 8.a; DOC 042-11, Paragraph 11.a; DOC 042-12, Paragraph 11.b]



CMS-3

ORIGINAL

ANNEX B


B - 10

SECTION III

TAB 1 – PHYSICAL SECURITY Area/Item Reviewed

Yes/No A 1. Is the space or vault which contains COMSEC material outwardly identified as a “Restricted Area”? for USMC accounts does the sign meet applicable USMC specific criteria? [OPNAVINST 5530.14 (series), Art. 210.g, 218.a; MCO 5530.14 (series) Art. 3004]

Yes/No A 2. Are applicable security controls (guards and alarms) in place for the vault or COMSEC office? [CMS-1, Art. 509, 521; MCO 5530.14 (series), Art. 3003; SECNAV-M 5510.36, Art. 10-3]

Yes/No A 3. In a non-continuously manned COMSEC facility, are daily security checks conducted once every 24 hours or prior to the departure of the last person and documented on a SF-701 and are SF-701s retained for 30 days beyond the last date recorded? [CMS-1, Art. 521.d.3, Annex G; SECNAV M5510.36, Art. 7.11]

Yes/No A 4. If the COMSEC facility is continuously manned, are security checks conducted at least once every 24 hours, documented on a SF-701 and are SF-701s retained for 30 days beyond the last date recorded? [CMS-1, Art. 521.d.3, Annex G; SECNAV M5510.36, Art. 7.11]

Yes/No /NA

A 5. If a COMSEC facility in a high risk area is unmanned for periods greater than 24 hours, is a check conducted at least once every 24 hours and documented on a SF-701 to ensure that all doors are locked and that there have been no attempts at forceful entry? [CMS-1, Art. 521.d.3; CNSSI 4005, Annex D]

Yes/No I

6. Are adequate visitor controls enforced to ensure access to classified information is given only to visitors who possess the proper security clearance, identification, and Need to Know? [CMS-1, Art. 521.e, 909.c.2; SECNAV-M 5510.30, Art. 11-1 Paragraph 2, 3; SECNAV-M 5510.36, Art. 7-12;]

Yes/No A

7. Is a visitor's register in use, properly maintained (all blocks filled out) and retained for one year? [CMS-1, Art. 521.e, Annex G]

Yes/No I 8. Are the names of individuals with regular duty assignments in the COMSEC facility on a formal access list signed by the CO/OIC/SCMSRO or signed in on a visitor’s register until the access list is updated? [CMS-1, Art. 503.d, 521.e, 909.c.2]

Yes/No A 9. Has formal facility approval been given in writing by the ISIC/IUC or higher authority to install, maintain, operate and store classified COMSEC material? [CMS-1, Art. 521.d] Note: USMC accounts are required to have a Physical Security Survey (PSS) conducted biennially by a school trained Military Provost Officer. [Marine Corps Order 5530.14 (series)]

Yes/No A

10. Is the exterior of each COMSEC security container free of markings which reveal the classification or description of the material stored therein? [SECNAV-M 5510.36, Art. 10-1, Paragraph 3]

CMS-3

ORIGINAL

ANNEX B


B - 11

Yes/No I 11. Do storage containers and locking mechanisms meet the minimum security requirements for the highest classification of material stored therein including material subject to TPI? [CMS-1, Art. 509.d; SECNAV-M 5510.36, Art. 10-3]

Yes/No A 12. Is an Optional Form (OF-89) maintained for each security container; used to record damages; repairs or alternations and retained within the container? CMS-1 Art. 509.b; SECNAV-M5510.36 Art. 10-15]

Yes/No A

13. Is a Security Container Information Form (SF 700) maintained for each lock combination and Part 1 placed in each COMSEC security container? [CMS-1, Art. 509.b; SECNAV-M5510.36, Art. 10-12, Paragraph 4]

Yes/No A 14. Is a Security Container Check Sheet (SF-702) maintained for each lock combination of a COMSEC storage container and retained for 30 days beyond the last date recorded? [CMS-1, Art. 509.b, Annex G; SECNAV-M 5510.36, Art. 7-10]

Yes/No I 15. Except in an emergency, are combinations to security containers used to store COMSEC material restricted to properly cleared and authorized LE personnel? [CMS-1, Art 507.c, 909.c.2]

Yes/No I 16. Are combinations to containers storing material subject to TPI protected to prevent a single person from having knowledge of both combinations? CMS-1, Art. 507.c, 909.c]

Yes/No I 17. Are sealed records of combinations to COMSEC containers maintained in an approved security container (other than the container where the COMSEC material is stored) and available to duty personnel for emergency use? [CMS-1, Art. 507.e; 909.c]

Yes/No A 18. Are combinations to COMSEC containers changed when initially placed in use, taken out of service, at least biennially, upon transfer/ reassignment of personnel who have access, or when compromised? [CMS-1, Art. 507.b]

Yes/No A 19. Are/do SF-700s: [CMS-1, Art. 507.f, 909.c] a. Individually wrapped and protectively packaged? If not and a single person access to both and the material is subject to TPI, assess as a COMSEC incident. b. Sealed using non-transparent lamination or plastic tape? c. Reflect the names, addresses and phone numbers of individuals authorized access to the combination on the front of the envelope? d. Reflect the proper classification and downgrading markings on Part 2 and 2A e. Inspected monthly for tampering and the inspection documented?

Yes/No A 20. Is physical COMSEC material stored separately from other classified material (e.g., separate container or drawer to facilitate emergency removal or destruction), and segregated by classification, status, and type? [CMS-1, Art. 509.a.3]

Yes/No I 21. Is COMSEC material, including media containing black ky packages properly safeguarded or stored when not in use or under the direct control of authorized personnel? [CMS-1, Art. 509.a.1, 803.e, 909.c.18]

Yes/No A 22. Are COMSEC files, records and logs handled and stored in accordance with their overall classification and properly marked to reflect the overall classification, the derivative source and declass/downgrading instructions? [CMS-1, Art. 711.a, 711.d; SECNAV-M 5510.36, Art. 6-3, 6-26]

CMS-3

ORIGINAL

ANNEX B


B - 12




CMS-3

ORIGINAL

ANNEX B


B - 13

TAB 2 - EMERGENCY ACTION PLAN (EAP)

Area/Item Reviewed Yes/No A 1. Does the LE have an EAP for safeguarding COMSEC material in the event of

an emergency? [CMS-1, Annex E, Paragraph 2] Yes/No A 2. Are all authorized LE personnel at the command/facility made aware of

the existence of the EAP? [CMS-1, Annex E, Paragraph 6] Yes/No A 3. For commands, located within the U.S. and its territories, does the EAP

provide guidance detailing actions to be taken for natural disasters, civil/mob actions and terrorism? [CMS-1, Annex E, Paragraph 2]

Yes/No A 4. When planning for natural disaster, does the EAP provide for: [CMS-1, Annex E, Paragraph 4] a. Fire reporting and initial firefighting by assigned personnel? b. Assignment of on-the-scene responsibility for protecting COMSEC material held? c. Protecting material when admitting outside emergency personnel into the secure area(s)? d. Securing or removing classified COMSEC material and evacuating the area(s)? e. Assessing and reporting probable exposure of classified COMSEC material to unauthorized persons during the emergency? f. Completing a post-emergency inventory of COMSEC and Controlled Cryptographic Item (CCI) material and reporting any losses or unauthorized exposures to appropriate authorities?

Yes/No A 5. Are EAP training exercises conducted yearly to ensure that everyone is familiar with their assigned duties? [CMS-1, Annex E, Paragraph 6.d.3]

Questions 6 – 15 in TAB 3 only apply to units located outside the U.S.,

it’s territories and deployable units.

CO or Auditor: ______________ Manager: _______________ DISCREPANCIES MUST BE CORRECTED IMMEDIATELY AND ACTION TAKEN


CMS-3

ORIGINAL

ANNEX B


B - 14

TAB 3 - EMERGENCY DESTRUCTION PLAN (EDP)

Area/Item Reviewed Yes/No A 6. Does the LE have an EDP incorporated into their EAP? [CMS-1, Annex E,

Paragraph 2.c] Yes/No A 7. Does the EDP identify personnel assignments and the chain of command

authorized to direct emergency destruction? [CMS-1, Annex E, Paragraph 5.d; SECNAV-M 5510.36, exhibit 2B]

Yes/No A 8. Are devices and facilities for the emergency destruction of COMSEC material readily available and in good working order? [CMS-1, Annex E, Paragraphs 5.d, 6.c]

Yes/No /NA

A 9. Are the sensitive pages of KAMs prepared for ready removal (i.e., upper left corner clipped) and are the front edges of the covers/ binders marked with a distinctive marking (i.e., red stripe)? [CMS-1, Annex E, Paragraph 5.e] Note: Sensitive pages are reflected on the last page of the KAM.

Yes/No A 10. Are destruction priorities indicated in the plan? [CMS-1, Annex E, Paragraph 8]

Yes/No A 11. Are EAP/EDP training exercises conducted at a minimum of annually to ensure personnel are familiar with their duties? [CMS-1, Annex E, Paragraph 6.3]

Yes/No A 12. Is the EDP divided into two parts: one for precautionary and one for complete destruction? [CMS-1, Annex E, Paragraph 7]

Yes/No A 13. Does the EDP provide for adequate identification and rapid reporting of the material destroyed, to include the method and extent of destruction and any classified COMSEC material items presumed compromised? [CMS-1, Annex E, Paragraph 10]

Yes/No A 14. Does the EDP stress accurate reporting of information concerning the extent of the emergency destruction is second in importance only to the destruction of the material itself? [CMS-1, Annex E, Paragraph 10]

Yes/No A 15. For surface units: Are document sinking bags available in sufficient quantity and in good condition to permit jettison of COMSEC material? [CMS-1, Annex E, Paragraph 9.d]




CMS-3 ORIGINAL

ANNEX C

VAULT INSPECTION GUIDE

C-1

ACTION. The following checklist shall be used and completed, in its entirety, by the auditor conducting the COMSEC account audit or inspection, as applicable. The criteria herein applies to shore-based vaults used to store keying material constructed and approved prior to 01 Jan 2013. Shore-based vaults used to store keying material which are constructed or structurally modified 01 Jan 2013 or later must obtain facility approval based on ICD-705 requirements. Per Chapter 2 and Art. 401 of this manual, audit reports evaluated as unsatisfactory shall include references and comments to substantiate the evaluation. auditors are encouraged to take note of deficient areas and ensure such are addressed and discussed in both the out-brief and the official report. Note: Non-compliance with a particular item contained in either Annex C or D, as applicable may not translate to a specific COMSEC incident or PDS as defined in CMS-1 Art. 909 and 1003. When not defined otherwise, discrepancies will be noted as administrative discrepancies and counted as such when assessing the account in the final report (for COR audits). The minimum construction requirements derived from CMS-1 (series) Annexes I and J, as applicable must be met prior to an activity receiving facility approval. For continued storage of classified COMSEC material, the facility approval will be re-validated prior to or as part of the ISIC COR audit. Initial facility approval or continued approval (in the form of the COR audit report) should not be granted without consulting NCMS and requesting a waiver for any non-compliant items noted.

CMS-3 ORIGINAL

ANNEX C


C-2

VAULT CHECKLIST Area/Item Reviewed Yes/No 1. For class "A" vault (authorized for storage of TOP SECRET and below

keying material), are the following constructed properly and with approved materials? [CMS-1 (series), Annex I, Paragraph 2] a. Floors and walls: Poured, reinforced concrete, minimum 8" thick reinforcing rods at least 3/8" in diameter, mounted vertically and horizontally on center not less than two inches and not greater than ten inches. Wall shall connect solidly with the vault roof and floor.

Yes/No b. Roof: Single piece, reinforced-concrete slab of a thickness to be determined by structural requirements, but not less than the walls and floors.

Yes/No c. Ceiling: Where existing floor-to-ceiling exceeds 12 feet, a vault roof, structurally equal to the vault walls, may be constructed at a height determined by structural limitations, size of equipment to be enclosed, optimum utilization of existing enclosed air space, and specific user requirements. Note: Where the existing roof does not conform to the vault roof requirements stated above, a vault roof, which is structurally equal to the vault walls shall be constructed.

Yes/No d. Vault Door and Frame Unit: Shall afford protection not less than that provided by a Class 5 vault door specified in Interim Federal Specification AA-D-600 (GSA-FSS), Door, Vault, Security.

Yes/No e. Lock: A combination lock that conforms to the Underwriters' Laboratories, Inc. Standard No. 768, for Group 1R or Group 1. The specific lock model used shall bear a valid UL Group 1R or Group 1 label. Note: Vault doors procured after 14 April 1993 must be equipped with a GSA-approved combination lock that meets, at a minimum the requirements of Federal Specifications FF-L-2740/A. [CMS-1, Annex I, Paragraph 2]

2. Are shore based CMS storage vaults equipped with the following minimum safety requirements: [CMS-1, Annex I, Paragraph 5.a]

Yes/No a. A luminous type light switch? [May be painted with fluorescent paint]

Yes/No b. Is emergency lighting installed? Yes/No c. An interior alarm switch or device (e.g., telephone, intercom)? Yes/No d. A decal containing emergency instructions on how to obtain release

if locked inside? 3. If an emergency escape device is considered necessary, have the

following minimum requirements been met: [CMS-1, Annex I, Paragraph 5.b] Yes/No a. Is it permanently attached to the inside of the door and cannot be

activated by the exterior locking device, or accessible from the outside? Yes/No b. Is it designed and installed so that drilling and rapping the door

from the outside will not give access to the vault by activating the escape device?

Yes/No c. Does the device meet the requirements of Federal Specification AA-D-600 series Paragraph 4.4.8, regarding an exterior attack on the door?

CMS-3 ORIGINAL

ANNEX C


C-3

4. If an emergency escape device is not provided, have the following approved Underwriters Laboratories (UL), Inc., devices been installed in the vault: [CMS-1, Annex I, Paragraph 5.c]

Yes/No a. A UL Bank Vault Emergency Ventilator?

Yes/No b. At least one UL approved fire extinguisher situated in a position near the vault door?

Yes/No 5. Are emergency destruction tools readily available? [CMS-1, Annex E, Paragraph 5.d and 6.c]

Yes/No 6. Is the space/compartment or vault which contains COMSEC material outwardly identified as “RESTRICTED AREA/AUTHORIZED PERSONNEL ONLY”? [OPNAVINST 5530.14 (series), Art. 210 and 218.

Yes/No /NA

7. For USMC accounts only. Does the COMSEC office have an Intrusion Detection System (IDS) installed and is it checked at defined intervals? [MCO 5530.14 (Series), Art. 3003]

Yes/No 8. Is a central record of combinations maintained in a security container, approved for storage of the highest classification of the material protected by the combination locks, for each vault used for the storage of COMSEC material? [CMS-1, Art. 507.e]

Yes/No /NA

9. If the original security integrity of the vault has been degraded in any way, have approved repairs been made and documented? [SECNAV-M 5510.36, Art. 10-15] Note: If external modifications are made after 01 Jul 93, the container or vault door is no longer authorized to store any classified material. [CMS-1, Art. 509.c]

Yes/No /NA

a. Is the gate frame made of not less than 3/8” by 1 1/2” steel members, and equipped with a locking device arranged to permit locking and unlocking of the gate from the inside?

Inspected by: ______________ Manager: _______________



CMS-3 ORIGINAL

ANNEX D

FIXED COMSEC FACILITY INSPECTION GUIDE

D-1

PURPOSE: To provide a checklist for use by personnel tasked with certifying/recertifying a facility used for storage of COMSEC material to ensure it meets the minimum physical security safeguards. COMSEC Facilities approved by an Accrediting Official in accordance with ICD-705 (SCIF) or JAFAN 6/9 (SAPF) standards do not require separate facility approval or further inspection by COMSEC personnel].

Command Audited & Date:

COMSEC Account Number:

Immediate Superior in Command:





Manager Name, Grade & Date of Appointment:

Primary Alternate Name, Grade, & Date of Appointment:

ACTION. The following audit checklist shall be used and completed in its entirety by the auditor conducting the CMS COR audit. NOTE: Non-compliance with a particular item contained in Annex C or D, as applicable may not translate to a specific COMSEC incident or PDS as defined in CMS-1 Articles 909 and 1003. When not defined otherwise, discrepancies will be treated as administrative and be counted as such when assessing the account in the final report (for COR audits). Minimum construction requirements derived from CMS-1 must be met prior to an activity receiving facility approval and bi-annually thereafter for continued storage of classified COMSEC material. Initial facility approval or continued approval (in the form of the COR audit report) should not be granted without consulting NCMS and requesting a waiver for any non-compliant items noted.

CMS-3 ORIGINAL

ANNEX D


D-2

FIXED COMSEC FACILITY CHECKLIST

Area/Item Reviewed Yes/No

1. Is the facility constructed of solid, strong materials that deter and detect unauthorized penetration? [CMS-1, Annex J, Paragraph 2]

Yes/No 2. Does the facility provide adequate attenuation of internal sounds that would divulge classified information through walls, doors, windows, ceilings, air vents, and ducts? [CMS-1, Annex J, Paragraph 2]

Yes/No 3. Are walls constructed from true floor to true ceiling? [CMS-1, Annex J, Paragraph 3.a]

Yes/No 4. Are ceilings at least as thick as the outer walls and offer the same level of security as the outer walls? [CMS-1, Annex J, Paragraph 3.b]

Yes/No 5. If false ceilings are used, are additional safeguards used to resist unauthorized entry (e.g., installed, approved intrusion detection system (IDS) in the area above the false ceiling)? [CMS-1, Annex J, Paragraph 3.c]

Yes/No 6. Is only one door used for regular entrance to the facility, though other doors may exist for emergency exit and entry or removal of bulky items? [CMS-1, Annex J, Paragraph 4]

Yes/No 7. Do all doors remain closed during facility operations and only opened to admit authorized personnel or materials? [CMS-1, Annex J, Paragraph 4.a]

Yes/No 8. Do the main entrance facility doors comply with the following standards: [CMS-1, Annex J, Paragraph 4.b]

Yes/No a. Does the door have sufficient strength to resist forceful entry? (In preference order, examples of acceptable doors are: GSA-approved vault doors, Standard 1-3/4" internally reinforced, hollow metal industrial doors, or metal-clad or solid hardwood doors with a minimum thickness of 1-3/4"). Note: Unattended telecommunications facilities constructed after 1993 shall have only one door.

Yes/No b. Is the door frame securely attached to the facility and fitted with a heavy-duty/high security strike plate, and hinges installed with screws long enough to resist removal by prying?

Yes/No c. Is the door installed as to resist removal of hinge pins? (This can be accomplished by either installing the door so that the hinge pins are located inside the facility, or by set screwing/welding the pins in place.)

Yes/No d. If the facility is not continuously manned, is the door equipped with a GSA-approved, electro-mechanical lock meeting, at a minimum Federal Specification FF-L-2740/A? [CMS-1, Annex J, Paragraph 4.b]

Yes/No 9. If the facility is continuously manned (a built-in lock is not required), is the door designed so that a GSA-approved electro-mechanical lock meeting Federal Specification FF-L-2740/A and dead bolt can be affixed to the outside should it ever become necessary to lock the facility? (e.g., in case of emergency evacuation.) [CMS-1, Annex J, Paragraph 4.b] Note: An electronically activated lock (e.g., cipher lock or keyless push-button lock) may be used on the entrance door to facilitate the admittance of authorized personnel when the facility is operationally manned. However, these locks do not afford the required degree of protection and may not be used to secure the facility when it is not manned.

CMS-3 ORIGINAL

ANNEX D


D-3

Yes/No

10. Do other doors (e.g., emergency exit doors and doors to loading docks) meet the same installation requirements as the main facility entrance doors, and designed so that they can only be opened from inside the facility? [CMS-1, Annex J, Paragraph 4.b] Note: Approved panic hardware and locking devices (lock bars, dead bolts, knobs, or handles) may be placed only on the interior surfaces of other doors to the facility.

Yes/No 11. Is the entrance area equipped with a device which affords personnel desiring admittance the ability to notify personnel within the facility of their presence? [CMS-1, Annex J, Paragraph 4.b(4)]

Yes/No 12. Is a method employed to establish positive visual identification of a visitor before entrance is granted? [CMS-1, Annex J, Paragraph 4.b]

Yes/No 13. Is the entrance designed in such a manner that an individual cannot observe classified activities until cleared for access into the restricted spaces? [CMS-1, Annex J, Paragraph 4.b]

Yes/No 14. Where windows exist, are they secured in a permanent manner to prevent them from being opened? (COMSEC facilities should not normally contain windows.) [CMS-1, Annex J, Paragraph 5]

Yes/No 15. Are windows alarmed and/or barred to prevent their use as an access point? [CMS-1, Annex J, Paragraph 5.a]

Yes/No 16. Is observation of internal operations of the facility denied to outside viewing by covering the windows from the inside, or otherwise screening the secure area from external viewing? [CMS-1, Annex J, Paragraph 5.b]

Yes/No 17. Are other openings such as air vents, ducts, or any similar openings which breach the walls, floor, or ceiling of the facility, appropriately secured to prevent penetration? [CMS-1, Annex J, Paragraph 6]

Yes/No 18. Do openings which are less than 96 square inches, have approved baffles installed to prevent an audio or acoustical hazard? [CMS-1 (series), Annex J, Paragraph 6.a]

Yes/No 19. If the opening exceeds 96 square inches, are acoustical baffles supplemented by either hardened steel bars or an approved intrusion detection system (IDS)? [CMS-1, Annex J, Paragraph 6.b]

Inspected by: ______________ Manager: _______________



CMS-3 ORIGINAL

ANNEX E

CMS COR AUDIT REPORT EXAMPLE

E-1

From: [CMS COR Auditor] To: [ISIC/IUC]

Commanding officer, Naval Communications Security Material System

Subj: REPORT OF CMS COR AUDIT OF (COMMAND TITLE) Ref: (a) CMS-3 1. Command/ISIC/Auditor Data: Title of command audited COMSEC Account Number/HCI COMSEC Account Manager Primary Alternate Manager Date Audited Audited by (Name, Rank/Rate /Grade)

Auditor Certification Date Audited Command ISIC/IUC Certifying COR Auditor _ 2. Evaluation of the command audited, [GRADE: (SAT or UNSAT)] and comments as required to substantiate the evaluation. Evaluation criteria is in accordance with reference (a) Art. 205.d.3. COMSEC INCIDENTS: REPORTABLE/NON-REPORTABLE PDS: ADMINISTRATIVE ERRORS: OVERALL: SAT/UNSAT 3. Findings: List each significant discrepancy requiring action, the applicable reference(s) and the recommended approach to correct and resolve the discrepancies

Do not list items of a minor administrative nature. 4. Any additional comments or remarks. 5. The facility meets all physical security standards and continued approval to hold classified COMSEC material up to the level of is authorized. 6. [In accordance with reference (a), copies of this report, portions thereof, or correspondence related thereto, from a source external to the Department of the Navy shall include the appropriate caveat included in Articles 410.a – 410.c to reference (a), as applicable]

CMS-3 ORIGINAL

ANNEX E

CMS COR AUDIT REPORT EXAMPLE

E-2

7. Commands must provide a written report describing what actions were taken to correct discrepancies noted during the audit. This report shall be forwarded to the ISIC/IUC and NCMS//N7// within 30 days from the day of the audit.

[CMS COR Auditor]

CMS-3 ORIGINAL

ANNEX F

CMS COR AUDIT FEEDBACK REPORT EXAMPLE

F-1

FM (ISIC/IUC) TO NCMS WASHINGTON DC INFO CHAIN OF COMMAND LOCAL CMS ASSISTANCE AND AUDIT TEAM BT UNCLAS //N02201// MSGID/GENADMIN/(ORIG ISIC/IUC PLA)/MONTH// SUBJ/CMS-3 FEEDBACK REPORT// REF/A/DOC/NCMS/-// AMPN/REF A IS CMS-3.// POC/R. U. UNDERWAY/ITCS(SW)/[email protected]/-/DSN:321-7654// RMKS/1. IAW ART. 405 TO REF A, THE FOLLOWING FEEDBACK, RECOMMENDATIONS AND APPLICABLE SUPPORTING DOCUMENTATION FOR CHANGE IS SUBMITTED HEREIN.// BT

CMS-3 ORIGINAL

ANNEX G

CMS COR ISIC/IUC AUDIT ENDORSEMENT EXAMPLE

G-1

From: [ISIC/IUC] To: [Audited Command] Subj: ENDORSEMENT ON (INSPECTED COMMAND) CMS COR AUDIT DATED DD MMM YY LTR (SERIAL NUMBER OF AUDIT REPORT) Ref: (a) CMS-1 Articles 115, 311, 405 Encl: (1) Audit Report dated XX XXX XXXX 1. In accordance with reference a, you are hereby directed to complete the corrective actions on the deficiencies identified in enclosure (1). 2. A follow-up report is required to be sent to your (ISIC/IUC) no later than 30 days after receipt of the formal audit report.

[ISIC/IUC]